I work at a company. They handle information that may or may not be sensitive. Some of the information they deem sensitive is a customer profile that is indexed by search engines. However, once at the profile, nothing can be highlighted, right clicked, firebug‘d, web developer toolbar‘d (that’s a lie, more on that later).
The only thing I can assume is that some of the information on the profile is copyrighted by the customer. So they take certain precautions to ensure that you CANNOT under any circumstances get a hold of the text on that page. Anyone who knows anything about how websites and security works knows this is virtually impossible. Especially with Google Cache, or saving a page, or Web Developer Toolbar.
Let me first say that I am mildly impressed with their initial attempt at thwarting “copyright infringement”. You cannot highlight anything, so “select all” + copy + paste is out. left and right clicking is captured (a pop up appears only in internet explorer) so again, highlighting is out. Aaaaaand that’s where security ends.
If you really want the text, just do Edit > Page Source (in firefox). There ya go. Done. Now, if you want to do other things, it’s as simple as saving the page to your computer and editing the html page. Remove the JAVASCRIPT security measures and everything goes away. You can click, highlight, do what you will.
Um, no. Try again
This raises a bigger question of “security” with javascript. Never ever ever use javascript for ANY kind of validation. Everything should be validated on the server side. Ok, that’s not completely true. If you want to do fancy, javascript-y validation that updates immediately, that’s fine. But make sure you validate it on the server side as well.
If you server-side validate, theres a much much much greater chance that they won’t be able to bypass it. You can do things like log in checking for whatever you’re doing. If their data doesn’t check out, kick them out.
Unfortunately, some web developers don’t (or don’t know they have to) do this. This leads to really really insecure websites. Or at least unnecessarily “secure” websites.
Follow me on twitter: @helloandre