Comments on: Code downloading with AJAX http://alexander.kirk.at/2005/10/05/code-downloading-with-ajax/ Tue, 23 Feb 2010 01:32:11 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Erik Arvidsson http://alexander.kirk.at/2005/10/05/code-downloading-with-ajax/comment-page-1/#comment-20 Erik Arvidsson Mon, 10 Oct 2005 04:54:47 +0000 http://alexander.kirk.at/?p=19#comment-20 Be careful when using XHR for downloading js code. Firefox does not cache any data when using XHR and therefore the old school method (as explained by Michael above) is usually better. Be careful when using XHR for downloading js code. Firefox does not cache any data when using XHR and therefore the old school method (as explained by Michael above) is usually better.

]]> By: David http://alexander.kirk.at/2005/10/05/code-downloading-with-ajax/comment-page-1/#comment-13 David Thu, 06 Oct 2005 19:10:45 +0000 http://alexander.kirk.at/?p=19#comment-13 That's how Dojo works, it downloads the pieces you ask for. The thing is that, once you are done deving your app, you know what pieces you want to pull in, so Dojo lets you build that into a single file for distribution. -David Dojo Foundation That's how Dojo works, it downloads the pieces you ask for. The thing is that, once you are done deving your app, you know what pieces you want to pull in, so Dojo lets you build that into a single file for distribution.

-David
Dojo Foundation

]]> By: Richard http://alexander.kirk.at/2005/10/05/code-downloading-with-ajax/comment-page-1/#comment-10 Richard Thu, 06 Oct 2005 13:23:06 +0000 http://alexander.kirk.at/?p=19#comment-10 Yes, I'm sure my technique using Blowfish could be used to give some protection to downloaded code -- but since the client-side would have to know the key to decrypt, the protection would be minimal. Script-kiddie protetion, as alluded to, at best. The other issue with using Blowfish is that the crypto-text is binary, so it would normally be base64 encoded after encyrption -- which expands the size of the download. So you might want to compress and then encrypt -- hoping to break even or maybe even save a few bits, at the cost of some extra client-side cycles. And really, the compression alone might provide just as much script-kiddie protection as the crypto -rich Yes, I'm sure my technique using Blowfish could be used to give some protection to downloaded code -- but since the client-side would have to know the key to decrypt, the protection would be minimal.  Script-kiddie protetion, as alluded to, at best.  The other issue with using Blowfish is that the crypto-text is binary, so it would normally be base64 encoded after encyrption -- which expands the size of the download.  So you might want to compress and then encrypt -- hoping to break even or maybe even save a few bits, at the cost of some extra client-side cycles.  And really, the compression alone might provide just as much script-kiddie protection as the crypto

-rich

]]> By: Michael Mahemoff http://alexander.kirk.at/2005/10/05/code-downloading-with-ajax/comment-page-1/#comment-6 Michael Mahemoff Thu, 06 Oct 2005 02:13:33 +0000 http://alexander.kirk.at/?p=19#comment-6 Hi Alex, it sounds like <a href="http://www.softwareas.com/ajax-can-improve-performance-too" rel="nofollow"> I guessed right wrt "code downloading"</a>. FYI Here's <a href="http://www.softwareas.com/ajax-can-improve-performance-too" rel="nofollow">demo</a> based on an alternative approach - changing the head. The main part is: if (self.uploadMessages) { // Already exists return; } var head = document.getElementsByTagName("head")[0]; script = document.createElement('script'); script.type = 'text/javascript'; script.src = "upload.js"; head.appendChild(script) eval() is probably better from a memory perspective, this is just an interesting alternative. Regarding encryption, Richard Schwartz started a conversation a while ago about <a href="http://smokey.rhs.com/web/blog/PowerOfTheSchwartz.nsf/d6plinks/RSCZ-6C5G54" rel="nofollow">JS decryption</a> to protect data on the host side - <a href="http://www.ajaxpatterns.org/Host-Proof_Hosting" rel="nofollow">Host-Proof Hosting</a>. Hadn't considered it from a JS perspective because - as you allude to - it's easy enough to reveal the JS. But given the lengths people go to in order to protect their scripts, it's an interesting idea. Hi Alex, it sounds like I guessed right wrt "code downloading". FYI Here's demo based on an alternative approach - changing the head. The main part is:

  if (self.uploadMessages) { // Already exists
    return;
  }
  var head = document.getElementsByTagName("head")[0];
  script = document.createElement('script');
  script.type = 'text/javascript';
  script.src = "upload.js";
  head.appendChild(script)

eval() is probably better from a memory perspective, this is just an interesting alternative.

Regarding encryption, Richard Schwartz started a conversation a while ago about JS decryption to protect data on the host side - Host-Proof Hosting. Hadn't considered it from a JS perspective because - as you allude to - it's easy enough to reveal the JS. But given the lengths people go to in order to protect their scripts, it's an interesting idea.

]]>