Udostępnij za pośrednictwem


the wrongness of "how do i disable right-click on my web site?"

This question comes up frequently and generally the asker really means, “How can I prevent people from stealing the [content | script] from my Web site?” And there are a few things you can do to make it more difficult. You can add onContextMenu handlers (to prevent the default context menu from displaying). You can obfuscate your script and have your html reference the script from a file (to make the script harder to read/understand). You can cancel onDragStart (to prevent drag-and-drop of images to the desktop). You can instruct the browser not to cache the data using http-equiv (to prevent clever people from simply copying the file from the cache directory). 

There are probably a few more things along these lines, but they are all in the same catagory. None of these will ultimately prevent someone from using source or content from your site. The reason for this is all of the above things require the client to behave correctly. You cannot control the client. For example, Internet Explorer always has the View Source option on the menu. There are other products which provide tools to visually inspect the DOM. 

A site's intellectual property is protected (in the US) by US Copyright Law. However, there seem to be a large number of people who want their site to be viewable for free by the masses and at the same time they want to be 100 per cent sure people save or copy the data on their pages. This is unrealistic. If the data is coming down the wire to a computer, the user of said computer will always be able to find a way to get the data. An analogy would be FM radio. You can broadcast all you want, but you cannot prevent someone from recording the broadcast. You can raise the bar with your Web site by obfuscating, disabling, not caching, etc. You can make it more difficult; you cannot make it impossible. The correct way to protect your data is to require authentication with the server and then encrypt the subsequent communication.

Comments

  • Anonymous
    May 06, 2004
    As a footnote, I would like to point to some (in my opinion) interesting documents I found while contemplating the nature of the Web.

    http://www.zeltser.com/WWW/
    http://www.w3.org/DesignIssues/Overview.html
    http://www.w3.org/Summary.html
    http://xanadu.com.au/xanadu/faq.html

  • Anonymous
    May 06, 2004
    If you instruct the browser not to store a copy of your document in the cache (as in Cache-Control: no-store) IE will not give you the option to view source. Neither it will on an SSL page if you disable saving encrypted pages to disk (which should be the default). However other browsers, ones that actualy do allow you to see the markup (IE doesn't have that feature, all it does is launch notepad/word/whatever with a cached copy of the document, but it doesn't display the source itself), do not have these problems and do allow you to see the markup no matter what you do. Also debuggers (both Microsoft's script debugger and Mozilla's script debugger) will always allow determined people to see both the markup and all the scripts in your page.

    It would be nice though for someone to actually summarize why it's not a good idea to disable right clicks, not just few vague paragraphs about how it's not going to stop someone from seeing your markup/scripts/styles.
  • Anonymous
    May 06, 2004
    There is nothing inherently wrong with disabling right-click; it just often the wrong question to be asking. From a UI perspective I am often annoyed when right-click does not do anything-- in Web pages and applications.
  • Anonymous
    May 06, 2004
    The comment has been removed
  • Anonymous
    May 06, 2004
    I have yet to hear a valid reason why would you want to disable right click on a web page. There are valid reasons to provide your own context menu on some elements of the page but not to disable the default and not to provide any.
  • Anonymous
    May 06, 2004
    I agree. If I have installed browser extentions which are accessed through rclick, such as translator thingies, or the zoom stuff Tony [ http://blogs.msdn.com/tonyschr/archive/2004/05/05/126305.aspx ] mentions, I cannot use those on sites that disable rclick.
  • Anonymous
    May 06, 2004
    Disabling right-clicking is a Bad Idea IMO because it breaks the concept of a Web page from a usability standpoint. It would be like creating a Windows desktop application without a Menu, or without having F1 launch the help.

    I noticed one site basically didn't want people to save the images (it was a place where you could buy the images from your wedding), so they used a bit of client-side JavaScript so whenever you moved the mouse over the image it changed the image to something that said, "MOVE YOUR MOUSE OFF THE IMAGE TO VIEW THIS IMAGE." To me, it seems like a watermark in the preview image would be sufficient...

    The point is, if the bits are getting sent to your browser, I don't see how someone could not somehow get the data. The only mechanism I could think of that would prevent someone from saving the bits at all would be to use a Java applet or something that would accept an encoded stream of bits and decode it and display.

    If you need to protect your IP THAT MUCH, perhaps a Web site isn't the ideal medium to use to deliver your content...
  • Anonymous
    May 06, 2004
    Scott - I agree.
  • Anonymous
    May 06, 2004
    The comment has been removed
  • Anonymous
    May 06, 2004
    The wrongness of "how do i disable right-click on my web site?"
  • Anonymous
    May 07, 2004
    write in the address field of your IE:
    view-source:http://www.microsoft.com/ and you get it :)
  • Anonymous
    May 10, 2004
    Lowest tech / cheapest "hide the source" trick:

    Have 50 newlines at the start of your HTML. Users go View -> Source and see a blank page in Notepad.

    They of course don't notice the scrollbar leading to the hidden treasures below...
  • Anonymous
    May 10, 2004
    Or you can put a lot of nonsense at the top that looks like code inside a comment block.
  • Anonymous
    May 11, 2004
    There is also Packer:

    http://dean.edwards.name/packer/

    It obfuscates JS code with the purpose of saving on the file size, and the side effect of making it completely unreadable.

    But yes, messing with expected browser functionality is pretty much always a bad idea.
  • Anonymous
    June 22, 2004
    share code and be happy
  • Anonymous
    July 25, 2004
    "http://www.kamun.com/
    "http://movie.kamun.com/
    "http://www.kamun.com/sitemap/index.htm
    "http://www.kamun.com/sitemap/movie01.htm
    "http://www.kamun.com/sitemap/movie02.htm
    "http://www.kamun.com/sitemap/movie03.htm
    "http://www.kamun.com/sitemap/movie04.htm
    "http://www.kamun.com/sitemap/movie05.htm
    "http://www.kamun.com/sitemap/movie06.htm
    "http://www.kamun.com/sitemap/movie07.htm
    "http://www.kamun.com/sitemap/movie08.htm
    "http://www.kamun.com/sitemap/movie09.htm
    "http://www.kamun.com/sitemap/movie10.htm
    "http://www.kamun.com/sitemap/movie11.htm
    "http://www.kamun.com/sitemap/movie12.htm
    "http://www.kamun.com/sitemap/movie13.htm
    "http://www.kamun.com/sitemap/movie14.htm
    "http://www.kamun.com/sitemap/movie15.htm
    "http://www.kamun.com/sitemap/movie16.htm
    "http://www.kamun.com/sitemap/movie17.htm
    "http://www.kamun.com/sitemap/movie18.htm
    "http://www.kamun.com/sitemap/movie19.htm
    "http://www.kamun.com/sitemap/movie20.htm
    "http://www.kamun.com/sitemap/movie21.htm
  • Anonymous
    March 15, 2006
    The comment has been removed
  • Anonymous
    May 29, 2009
    PingBack from http://paidsurveyshub.info/story.php?title=jeff-s-weblog-the-wrongness-of-how-do-i-disable-right-click-on-my