Prevent Viewing and Caching of JS Files While Allowing Embedding

[GG-Xtreme]

I have several custom external JavaScripts embedded in my site. The problem is, my poorly coded and probably easily exploited files are viewable and downloadable by getting the location from the page source. I've tried using a simple ASP trick, but the server doesn't seem to support it, because the files just display the ASP source as well as the JavaScript. Is there another method in JavaScript/PHP/PERL/Python, or some htaccess trick? And I mean something powerful, not just a true-false cookie trick, that will allow embedded js files to run, but prevent direct viewing. I've already confirmed that the hotlink protection in the cPanel does not work on js files.

 

[chewett]

also is there another way of stopping people getting to images directly excluding hotlink protection

 

[SyncViews]

Well this should work for php files:

at the start of your main file:
$Var_0EA = 11083B;//something people are unlikly to guess without seeing the source
...

include(your other files);

now at the start of the other files have:

if ($Var_0EA != 11083B) exit ('');

so now if that var wasn't set by the 1st page your other files simply stop running as soon as they start which effectivly gives the user a blank file when they try to view it.

 

[GG-Xtreme]

Very similar to the ASP method, I'll give it a try.
Edit:
Hmm...I can't seem to get it working. Here's (basically) what I have:

mainfile.php

...
$dirlnk = 'false';
...
include("template.html");
...

script.php:

<?php

if ($dirlnk != 'false') {
	exit ('');
} else {
	include("js_file.inc");
}

?>

template.html:

...
<script language="JavaScript" src="script.php"></script>
...

js_file.inc:

alert('hello');

The script.php DOES show up as blank when viewing it directly, but the problem is, when I view mainfile.php, I don't get the alert, so I'm assuming that mainfile.php is receiving a blank from script.php. It does work if I embed the JavaScript file directly. Any suggestions?

When I view the source of the page, I get this:

<html>
<head>
<title>hello</title>
<script language="JavaScript" src="script.php"></script>
</head>
</html>

so I don't think it's a problem with mainfile.php...

Edit:
I also tried a referrer check with and without wildcards, but that didn't work either. Is there a simpler way to do this? I don't think major sites allow direct viewing of js files, and I don't want my site defaced. Is there a way I can have ASP enabled on my account, so I don't have to go through all of this?

Edit x 3: .htaccess restrictions don't seem to work either, but I guess that goes under the category of the cPanel hotlink protection. It will say 'Forbidden' only if you refresh the page, and then you can view it again.

 

[Kirtap]

I don't know how to do it. (just starting with JS)
what I do know is that the language attribute is deprecated.
should be:

<script type="text/JavaScript" src="script.php"></script>

http://www.w3.org/TR/html401/interact/scripts.html#h-18.2.1

 

[GG-Xtreme]

Typically, I would type that out, but I was so lazy that I copy-pasted from an old site. I'm done with this problem anyway. Now I have a new problem. Can you check the source of my home page and tell me why snowstorm.js isn't working (it works on all other pages of my site)?: http://mercx.exofire.net Yes snowstorm.js is in the same directory and the image/snow folder is also in the same directory and does contain the necessary images. The snowstorm.js uses the same settings for all pages of my site (default) but doesn't work on the home page. I have already tried placing the script in different sections of the head and body, but I see no difference.

 

[kajasweb]

Try renaming js_file.inc to js_file.inc.php
This may solve your issue.