Neil Turner's Blog

Blogging about technology and randomness since 2002

Protecting your HTML

HTMLProtector is a program for Windows that lets you ‘protect’ your web pages to stop people copying the content, source code or images. It goes somewhat further than the usual trick of disabling the context menu, and offers lots of options to boot. Here’s a sample page – you might want to view it in IE in Windows for full effect.


Firstly, you can have the page’s code encoded almost entirely in Javascript, which is then decoded by the browser on display. This works fine in those browsers which support Javascript and have it enabled, but otherwise you get the rather unhelpful “To display this page you need a browser with JavaScript support.” message.
You can also do the right-click thing, with an error message showing instead of the contect menu. Except in Firefox, under Tools, Options, Web Features, Advanced, you can override this – the error message is still shown but once it is dismissed the menu appears as normal.
In IE, the page is able to take a worryingly high level of control over the Windows clipboard. The Print Screen function is disabled – instead of capturing the screen you only get a small white square, even if the browser is minimised. The Copy function is also disabled globally until the page is closed, so you can’t even copy and paste in Word or another application. Firefox has no such problems, what with it being somewhat more disjointed from the operating system, although in both Firefox and IE drag-and-drop is disabled.
Printing is disabled by specifying a print stylesheet with the body tag set to ‘display:none‘. This works on all browsers that properly support CSS, although it can be defeated by disabling style sheets.
You also cannot select text, in IE nor in Firefox. However, you can do Select All (Ctrl+A) in Firefox, which then allows you to use the ‘View Partial Source’ option on the context menu which lets you view some of the decoded source code.
The status bar is ‘protected’ by ensuring that URLs of links don’t display in it, using Javascript – again, Firefox is able to defeat this.
You can even stop all Opera users from accessing your site, because they’ll be able to use the context menu even if it’s blocked. Oh the horror!
Images can be protected by splitting them into pieces or converting them into static Flash animations.
This all reminds me of a quote from dooce.com:

I actually worked for a client once who asked me to program their homepage so that when a user brought it up on a browser it would disable the printing function on their computer. They didn’t want anyone printing out their website because they were worried that someone would steal their great ideas, the great ideas that they were putting on the PUBLIC internet for THOUSANDS of people to read. I asked them if they also wanted me to include a piece of code that would break a user’s fingers, thus preventing anyone from printing or even writing down their great ideas, and they asked me if they could get in trouble for that.

Ultimately, all of these methods can be defeated using filtering, and in any case, the more protection you apply the more legitimate users you lock out or alienate. I certainly wouldn’t make regular visits to a site that limited my activity like that (and disabling my clipboard – my clipboard – while I visit your site is really not cricket), unless the site had content unavailable elsewhere or was somehow spectacular in another way, and I’m sure others would take the same view. Furthermore, this utterly ruins the semantics of web pages and shuts out significant numbers of people who browse without Javascript, either because they don’t like it, have it disabled by the sysadmins or use a browser that doesn’t support it.
If you’re that worried about people stealing your content, don’t publish it in the first place.
incidentally, one of its ‘features’ is that it blocks out search engines crawlers, which generally cannot read Javascript. I wouldn’t call this a feature personally, more of an adverse side-effect.

17 Comments

  1. Hmmm, there’s nothing worse than a website that’s covered in this sort of secure crap. Like you said, if you don’t want it to be available to copy, don’t put it up in the first place. Fair enough, I can understand certain stuff, but I mean come on, can be a bit extreme.
    Let’s just say that if someone is thinking of nicking stuff, maybe the law, and even simply your conscience should come first. Then again… ๐Ÿ˜›

  2. Excellent article Neil, but I don’t get the following paragraph:
    >You can even stop all Opera users from accessing your site, because theyโ€™ll be able to use the context menu even if itโ€™s blocked. Oh the horror!
    Also, on an unrelated note, am I right in thinking that some old versions of Netscape (possibly v4?) used to display the parsed HTML when viewing the source? So rather than seeing all the JavaScript here you would see the actual HTML which the JavaScript generated. Anyone?

  3. Heh. This entire idea reminds me of the olden days of the Internet where people would “hide” their code simply by putting lots of blank lines at the top.
    Despite its worrying amount of control the “full” version offers through IE, there’s nothing to stop me doing a screen grab from Paint Shop Pro, then – if needed – running the image through OCR software.

  4. Jon: Opera will – apparently – show the context menu on a web page even if the web page tries to disable. So the software advocates blocking Opera users from viewing the page altogether. Because, you know, all Opera users are morally-corrupt, content-stealing theives. ๐Ÿ™‚

  5. Call me mad, but the word ‘security’ is blown out of context here. Amazingly big bombad blown out of context. If you call locking out users and making sure nobody can actually do something with your content security, you’re definitely in trouble. Anyone called the hospital about these deranged people?

  6. It will never work. Somewhat useless too. Some don’t even have javascript enabled in there browsers for security reasons. Including some large companies. It’s like hook said, if you dont’ want your ideas copied, dont put it up live for millions of people to see. This is extreme and is not going to fly. A good attempt I must say

  7. Security by obscurity. In other words, none.
    ’nuff said.

  8. So this technique more or less protects a page from theft by users of Internet Explorer. So only about 1 out of every 10 internet users will be able to nick the page. Hmm.

  9. I saw this a long time ago. I was amused by it. Of all the Web sites I have visited in my time I have never seen a single Web site using this ‘protection’. It’s nice to see the company’s still in business if for nothing more than amusement.
    > am I right in thinking that some old versions of Netscape (possibly v4?) used to display the parsed HTML when viewing the source?
    Yes, I remember that.

  10. Surely it’d be possible to write a bookmarklet to get around this – something to dump the (post-decoded) DOM maybe?
    If that were the case, a simple click would immediately reveal any and all HTML decoded from the Javascript!

  11. Well the answer is ‘yes’ – it’s quite possible in both IE and Firefox with innerHTML… but just before I posted the source I suddenly wondered whether it would be some horrific DMCA-style breaking of copyright/protection?

  12. Hurray for Firefox. ๐Ÿ˜€
    Select all -> Right click -> Escape -> View Selection Source
    http://geekforhire.org/htmlnotsoprotected/ ๐Ÿ™‚

  13. I’ve just noticed that the company that brought us HTMLProtector, AntsSoft.com, also sells a software called Wise Popup.
    >Want boost your subscription levels by up to 535% or more? Yes, you can reach it by using popup windows.
    Anyone else LOL at that?

  14. also view-source:http://www.antssoft.com/htmlprotector/protected_sample.htm is a good way to start looking at the code.

  15. That does work, Andy, but it’s all so obfuscated that I can’t imagine bothering to decode it.
    How are you people right-clicking on that page after doing select all? I’m using Firefox 1.0 and I get the same “no right-clicking please” popup.

  16. You can disable the ability to block it in the JS options. Once you do so, after the “No right clicking” popup it will show the normal right click menu.

  17. Or more specifically, Tools, Options, Web Features, Advanced (next to ‘Enable Javascript’), then untick ‘Disable or Replace Context Menus’.
    Andy: That’s not as good as doing View Selection Source. VSS decodes part of the source code for you.