You must make a difference between the owner of a site, who wants to develop his/her own code, and strangers. Firebug should cater only for those, who want to develop their own code. The will do this in its original form, which is/should be easily readable, so that the developer sees what he intends to do. Once the development is complete, this code can be condensed by stand- alone programs, so that it downloads and is interpreted much faster. It is this code what I call obfuscated: no comments, machine-generated short names instead of intelligible description. The owner still has the original code for further development. It is up to the owner to let everyone see the full code, or just the obfuscated one.
Firebug should not try to make such code more legible, intelligible, otherwise it turns itself into spyware. The argument, that if someone wants to decode the obfuscated code and steal it, he can find enough other tools to do it, is no justification for implementing something into FB to do it. Also, no FB-add-on should be allowed to do it. At least none that is official or has the blessing of the FB-crew. FB has more important functions that need to be implemented or improved, like a positive activation-list (Disabled for all except:) When I am developing my own code, I want to have FB active for my site only - which may be linked to/from other sites. I have no time to test the code of others, especially, if the throw up errors. I would like to be able to restrict FB monitoring even to specified pages within my site, as this would save a lot of time by pages further down the hierarchy. On Jul 10, 12:08 am, Kara Rawson <[email protected]> wrote: > Bob Hassinger wrote: > > This famous quote comes to mind: > > > "God grant me the serenity > > to accept the things I cannot change; > > courage to change the things I can; > > and wisdom to know the difference." > > > Rako, you are chasing a hopeless result. Even if you manage to get > > Firebug to be less helpful, there will be another tool, and another, > > and another. Firebug is only one of many tools even now. You can not > > possibly plug up the holes as fast as they are developed. > > > Security through obscurity can only give an allusion of protection > > that diverts ones efforts that should go into measures that can really > > ensure protection. > > > Every end user has full and unlimited access to whatever you send to > > their computer (including everything in referenced files like external > > Javascript and CSS files), for as long as they want it. If a browser > > can understand the code then a human can. Fundamentally there is > > little difference between intentionally obfuscated code and just plain > > old poorly written code. An interested person goes through the same > > process to sort it out. In essence once you send it to them you have > > given up any possible trade secret protection and your only real > > option is copyright (or maybe patent). And still, enforcement of > > those protections is only really feasible in major situations with a > > lot of money involved. > > > By its nature Javascript is just not the tool for you when you need to > > hide your logic or coding, or provide security for your site/data. > > You have to do it so that users never have access to it in any form - > > say in host side processing for example. > > > Consider the balance for this one: On one side we are looking at > > widely beneficial capabilities many people will find very helpful. On > > the other side you want those benefits denied to them so you can have > > the illusion of restricting access to what can not really be > > protected. I think the choice there is easy - one person's illusion > > of gain, against the whole user communities's real gain. I suspect > > that is a pretty easy call. > > > On Jul 9, 2009, at 4:10 PM, Luke Maurer wrote: > > >> You must be using a pretty wimpy obfuscator if a mere code formatter > >> will undo it. If your IP is the big issue here, won't you be using > >> something that does more than get rid of whitespace? Like renaming > >> local and private variables to nonsense? That's not something that > >> Firebug *could* undo, with or without DRM-style permission bits. > > >> - Luke > > >> On Jul 9, 11:56 am, Rako <[email protected]> wrote: > > >>> I agree with you, that there is no need for Firebug to "obfuscate" JS > >>> code. > >>> What I object, is the request to implement features that would > >>> counteract the obfuscation created by the owner of the site. > >>> What I suggested, is a method, through which owners of web-sites > >>> could > >>> allow/forbid the use of FB by strangers to "debug" their code. > >>> I think FB should not try to display obfuscated code more legibly. > >>> This would tantamount to try to decifer encripted data. > >>> I have no objection to stand-alone programs to make obfuscated code > >>> more legible, but as a feature of Firebug it would be criminal. > >>> Would you like to have programs around that spy-out your passwords, > >>> decript your private emails? I would not. > >>> Please do not turn Firebug into Spyware. > > >>> On Jul 8, 6:47 pm, Rob Campbell <[email protected]> wrote: > > >>>> Rako, further obfuscation of JS code will never be a feature of > >>>> Firebug. Most minimized JS is already quite obfuscated and, if > >>>> anything, we'll produce a mechanism to display it more legibly, > >>>> either > >>>> by extension or with a feature. > > >>>> As for the Off vs [X] button, I really feel this was a bit of a > >>>> wasted > >>>> effort and a discussion that blew the issue out of proportion. Now > >>>> we've implemented this change to appease a noisy few. Most users > >>>> will > >>>> learn that the [X] button means "Close / Off" after they've used it. > >>>> It behaves similarly to how you'd expect a close button to work in > >>>> any > >>>> other area of Firefox or the OS. I, for one, will be glad to see the > >>>> "Off" label go away as soon as possible. > > >>>> On Jul 7, 3:33 pm, Rako <[email protected]> wrote: > > >>>>> I do not rant. > >>>>> I simply explain why is this extension/modification to/of the > >>>>> activation needed. > >>>>> Perhaps my reasoning offends you (are you one of the reverse- > >>>>> engineers?), but it is not going to change my reasoning. > > >>>>> On Jul 7, 12:34 pm, alfonsoml <[email protected]> wrote: > > >>>>>> On Jul 7, 8:32 am, Rako <[email protected]> wrote: > > >>>>>>> I agree with all you say, but what annoys me, are the requests > >>>>>>> for new > >>>>>>> features in FB to enable reverse engineering. > > >>>>>> Then place your rants in those threads. > >>>>>> This is already too heated, please, don't mix unrelated things. > > ummm i thought FB was suppose to do the opposite of obfuscation, like > make code easier and faster to understand and debug. btw thats a great > quote, every dev should know that by heart. M$ uses that secuirty > paradignm and look where that got em, the most widely used, abused, and > hacked piece of software known to man. Restricting access is the only > way to keep things secure. Nothing is private that is on the > web/internets. The simple fact of it being on the internet implicity > makes it public. Obfuscating code only protects you from crackers who > dont know what they are doing, and the chances of thsoe peopel crippling > your system are pretty nile. generally all IP or protected logic gets > coded as RPC services and your web app / site access these using some > type of RESTful interface via AJAX/COMET. Then your code is actually > protected by something, a firewall most likely. > > kara --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Firebug" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/firebug?hl=en -~----------~----~----~----~------~----~------~--~---
