Page protection in HTML

[Ash!]

I am building a website and on-line catalogue for computers that I build. Does anybody know a way to protect a page so that if you right click then you cant save highlight or copy images or contents of the page ?

Thanks

 

[Jonty]

More often than not JavaScript is employed in preventing people from doing x, y or z. For example, you can get scripts which prevent a user from right clicking on a page (and hence stop them from easily saving images and such). However, these scripts are widely despised by all, and so I strongly recommend restraint from using such scripts. Moreover, they're not infallible. For example, a user can still press the 'Print Screen' button and copy the image(s) in question that way. (That said, with a bit of skill you can disable the print screen button via JavaScript).

Alterantively, you can prevent users from linking directly to your images via PHP. This is best done by the FiringSquad. They manage it by detecting who is requesting their image. If the request comes from a server other than their own, it sends them another image instead. For example, this is a picture from their site, only it is protected and so isn't displayed . . .

Finally, you could simply digitally watermark your images. That way, you can keep tabs on and pursue any rogue sites as necessary, since they cannot remove this level of digital protection.

In conclusion, though, you have to really think whether or not you need these kind of methods. You'll often find that if you give people the option of using your content so long as they contact you, they are only too happy to do so. You trust them, they'll trust you.

Kind Regards

 

[[UKLans]Khan]

Finally, you could simply digitally watermark your images.

Sounds the best idea, i really get annoyed at the "no right click" pages

Khan

 

[Jonty]

I concur, 'no right click' scripts can be extremely annoying, since the right click menus also offer a lot of other innocent features not related to protecting one's images.

Just a note of digital watermarking. It can basically take two forms. The first, a bit like steganography, hides copyright and ownership information inside the image. From simply looking at the image, you'd never know it was there. But save the image and try and edit it in any modern package and, providing the company offering the protection is well known enough, the procurer will not be able to alter the image in any way. They will be able to see the copyright information via their media software, but they won't be able to edit it whilst keeping the image intact.

The second form is similar to the above method, but also incorporates a physical watermark on the image, which is hence permentantly visible whenever it is viewed (a semi-transparent logo, for example). This offers more deterence value from taking the image than the first method, although make the watermark too obtrusive and you'll end up rattling your users.

Kind Regards

 

[Ash!]

Cheers guys. No right click on my web site it is then

 

[Shocko]

Reasons why scripts that disable right clicking are "teh gh3y":
1) Users can just view the source, to find out the URL for the image. I do this all the time, especially with broken links(Mozilla doesn't have a red-x like IE does).

2) They are fucking retarded, and i would never frequent a site that used one.

Plus, i don't think i've yet to come accross one that works with Mozilla(good thing). The main criticism of JavaScript, is that it can be mis-used like this, to interfere with the user's browsing. It's my browser, and you don't have any right to control how i view pages in it. If you don't want people to view your webpage how they want, then don't let them view it in the first place.

 

[Shocko]

Originally posted by Jonty
Alterantively, you can prevent users from linking directly to your images via PHP. This is best done by the FiringSquad. They manage it by detecting who is requesting their image. If the request comes from a server other than their own, it sends them another image instead. For example, this is a picture from their site, only it is protected and so isn't displayed . . .

I await the version of html(well, it would be xhtml now) that has a "REFER" attribute in the <img> element, which's argument is sent as the Refer header in the http request for the image

Or better yet, an option in Mozilla that would go something like:
When requesting images from a different server to that which the webpage is on, send the URL of the image, as the HTTP Refer header.

Infact, i think i might email the Mozilla team, and see if that would be a possible addition! I rock! \o/

 

[Scooba Da Bass]

I've yet to find a right click script that can't be defeated by just holding down the left mouse button on a link/image then clicking the right mouse button

 

[Jonty]

Shocko, blade07 never said you couldn't use PHP

All you have to do is this. Place your images in a secure location. Create a PHP script that generates an image data stream from an exisiting image specified in a query string (just a name, you can construct the URI later). Specify that the output should only be permitted if the refer is your own site, else a default 'get lost trying to steal my content' image can be outputted. Then simply link to this PHP file via your image tag (i.e.

). It's 10 lines of code, if that. Don't make me generate a proof of concept hehe.

Kind Regards

 

[Shocko]

Which could easily be overcome by an option such as what i came up with above

The php script would just check the Refer http header, that the client sends. Since it's set by the client, you could just set it to what you want, reguardless of what site you've actually come from. wget has an option to specify the Refer header, incase any sites were to use that level of anti-linking gh3yness

Don't believe me? Then create your php file, but have it redirect(with a Location header) to an image hosted on geocities. Ordinarily it would mess up because geocities redirects since the Referal would be the site the image was hosted on(bw in your case), however if you used
header("Referer: www.geocities.com")
at the top of your script, you would find that the image would work fine

 

[Jonty]

I still believe it's possible to disguise the location of an image and prevent people form linking to it. I shall try and prove as much tomorrow Whatever the whys and wherefores, any such solution would not prevent people from directly taking the images from their browser.

Kind Regards

 

[Shocko]

It is *currently*, however if someone was using a browser, that had a feature as described above, they'd have no problems seeing the image, linked remotely... I'll explain again, because you don't seem convinced

When you check for the location of the site the image is linked from, you're just looking at the referer, which is set in the http headers, by the client's browser. It would typically look like
Referer: http://forums.barrysworld.com/showthread.php?s=&threadid=46994
If you were to link to an image from this thread. There is no reason why the browser has to set the referal header to the actual refering site, though. To overcome anti-linking tactics, as you've described, you would simply set the referal header to the server that the image resides on. Actually, the simplest solution, would be to set the referal header to the URL of the image...

You would only want the referal header to be set "incorrectly", when requesting images(check filename) that are embedded in a webpage hosted on a different server to the one the image resides on... It would also be worth having it as a dissabable option.

Shocko: I
Jonty: 0

 

[Jonty]

Hey Shocko

Never one to be beaten, I sat down this morning and thought about this properly. I accept what you're saying about the user's ability to alter HTTP_REFERER, and I wholly agree that it is flawed in terms of the security risk. So on that point, I concede.

However, with a little divine intervention, I thought of the following method . . .What if, on our page, we sent a security key via the POST method through PHP to the page which generates the image? The image page would then receive the security code, verify it, and allow the image data stream to be sent to our page. However, if anyone else tried to link directly to the image processing page, there would be no security key sent, hence we could then send them our 'get lost trying to steal our images' image

Good? Unlike the HTTP_REFERER method, the user has no way of sending POST data, not via the URI or even via any special program. And even if they could send it, they would be none the wiser as to exactly what array variable and value to send.

teeheehee, as far as I can tell, that's about as secure a method as I think there is. The image URI is protected, the images can only be viewed on our site, and we can send a HTTP header to prevent the browser from caching the image on the client side, too. Sure, it doesn't prevent people print screening or saving target as ..., but it does what I proposed.
Shocko 1 ~ Jonty 1 hehe, call it a draw, mon ami?

 

[Shocko]

Heh, here's to those of us who spend too much time thinking about geeky matters such as these!

 

[Jonty]

LOL, touche But who knows, I might just go and sell on this security idea and retire a millionaire (emphasis on the 'might' ).