RE: Hiding HTML Source -- WEB400

>One security setting you can use is to generate an expiring alpha-numeric
random key

Still not perfect. Bottom line is that the browser must get a copy of the
file to use it, and if the browser can get a copy so can I -- either by
pretending to be a browser, using a proxy server or at worst, using a
network sniffer.

-Walden

------------
Walden H Leverich III
President
Tech Software
(516) 627-3800 x11
(208) 692-3308 eFax
WaldenL@xxxxxxxxxxxxxxx
http://www.TechSoftInc.com 

Quiquid latine dictum sit altum viditur.
(Whatever is said in Latin seems profound.)
 

-----Original Message-----
From: Flaker, Jeff [mailto:JFlaker@xxxxxxx] 
Sent: Friday, August 01, 2003 8:11 AM
To: Web Enabling the AS400 / iSeries
Subject: RE: [WEB400] Hiding HTML Source


Even if you use external .js and html (I believe that you can use external
HTML much like you can use external .js--correct me if I am wrong) it stores
the .js and .htm(l) in TEMP directory under the named external file.  The
average "User" will not know where to look or how to modify, but someone
with some knowledge may be able to modify the browser settings NOT to
re-download the page and .js.

One security setting you can use is to generate an expiring alpha-numeric
random key(expires after each successful request or after a set time limit)
of random length in the form, (time and date stamp this random key in a
file)....if the key doesn't match the user or is older than specified, then
your cgi should send the user away to a "NOT ALLOWED" page and disregard the
request.  This also prevents bookmarking, corruption of data or a user
playing havoc with the url variables(If they know how to do that..)



Jeffrey Flaker
Senior Programmer/Analyst
Linens 'N Things
6 Brighton Rd
Clifton, NJ  07015
Phone:   973-249-4384
Fax:     973-249-4901
http://www.lnt.com


-----Original Message-----
From: Eric Kempter [mailto:EKempter@xxxxxxxxxxxxxxx]
Sent: Thursday, July 31, 2003 3:55 PM
To: Web Enabling the AS400 / iSeries
Subject: RE: [WEB400] Hiding HTML Source


That might work if security has been put in place to prevent a user from
viewing / downloading the .js file.  If you know the URL (path) to the .js
you can view/download it unless security has been put in place to prevent
it.

 -----Original Message-----
From:   Hatzenbeler, Tim [mailto:thatzenbeler@xxxxxxxxxxxxx] 
Sent:   Thursday, July 31, 2003 9:31 AM
To:     'Web Enabling the AS400 / iSeries'
Subject:        RE: [WEB400] Hiding HTML Source

Just an untested thought...

1st off, if a person writes their own browser to capture the input stream,
no hiding of code, can be done...  But, within explorer, I have noticed,
that if you link to an external .js (javascript file) you don't see that
code... You just see the link...  Maybe you could create your html, in a JS
file, using a bunch of writes, and then have your main html link to the
JS... 

Tim


> -----Original Message-----
> From: Shannon O'Donnell [SMTP:sodonnell@xxxxxxxxxxxxxxx]
> Sent: Thursday, July 31, 2003 9:22 AM
> To:   Web Enabling the AS400 / iSeries
> Subject:      [WEB400] Hiding HTML Source
> 
> Hi,
> 
> Just a thought that occurred to me in passing....
> 
> I've seen IIS based Web Servers that send a web page with an embedded
> ActiveX object in it and this ActiveX object actually pushes the "current"
> HTML code out to the browser in such a way that there is no way for the
> user to view the HTML source.
> 
> I always thought that this was kind of cool and a great way to hide HTML
> code. 
> 
> But I wonder, short of using ActiveX, if there is any "native" (i.e., from
> the AS/400) method of sending out HTML to the browser, but in such as way
> that it is not viewable by the end user.
> 
> I know that you could write some JavaScript to prevent right-clicking and
> viewing source, but JavaScript can be disabled. 
> 
> Anyway...this isn't mission critical, but I was just wondering if anyone
> had any thoughts/ideas on how to achieve that effect from the AS/400.
> 
> Thanks!
>  
> Shannon O'Donnell
> 
> _______________________________________________
> This is the Web Enabling the AS400 / iSeries (WEB400) mailing list
> To post a message email: WEB400@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/web400
> or email: WEB400-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/web400.
This e-mail message, including any attachments, is for the sole use of the
intended recipient(s) and may contain confidential or privileged
information.  Any unauthorized review, use, disclosure or distribution is
prohibited.  If you are not the intended recipient, please contact the
sender by reply e-mail and destroy the message.
_______________________________________________
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.




_______________________________________________
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.


_______________________________________________
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.