Prevent XML file from being copied

[PVB99]

I spent a lot of time looking up geocodes for a google map for my site. I don't want anyone to be able to just copy all these geocodes I looked up by downloading the xml file, I want them to have to look them up if they want to copy the idea

If you look at the page html:
body onload="load(30.18,-81.525,3,'geocodes.xml')" onunload="GUnload()"

you see the file name "geocodes.xml" and type that into your browser http://yoursite .com/geocodes.xml

you will get the file. Is there something you can set in Apache to prevent that?

Thanks

[REW Fergus]

No, there isn't.

The essential problem here is that the API is Javascript, and Javascript is interpreted by the browser. Any data you want the Javascript to operate on must be accessible to the browser, and if it is, it's accessible to the browser user too.

[RESteve]

I have been fighting this issue with another business I'm running. I've heard of a few tricks, but no real way to hide the XML.

-Call backs. No sure what it is, but it did hide the code. You needed a packet sniffer to get the codes, but not everyone has those that just are looking at source.

-Framing. Low security, but something.

And that's where I get left off. It sucks - the person that figures this out is going to be a tad bit wealthy I'd think. To hide the XML, you might want to try database driven population, so that the geos are just stored in an XML somewhere - but actually pulled from a Sql DB. There is a component i use for this, and though if you look at the source code you still see the coordinates, it's a tad bit harder to copy EVERYTHING, as it's not parsed like a lovely XML, rather embedded in the page source code.

[PVB99]

Thanks for the comments. I only sorta know what I am talking about here but would an XML HTTP request to a mysql db be hidden? Does AJAX add any security?

[RichardDavies]

The only thing that changes with AJAX (i.e. XML HTTP requests) is that the browser sends the request at a different time. Instead of the request being sent when the page is loaded, it's sent after the page is loaded. Granted it may be a little less obvious to the user what is happening, but any user with a little know-how and the right tools still wouldn't have any difficulty getting the data.

You might want to reconsider if you really want to try and protect this data. The web was designed and built to be "open source"... I'm sure you've used the view source option in your browser before to look at someone else's HTML, JavaScript, or CSS code before. One of the important ideas behind the whole "Web 2.0/AJAX" movement going on right now on the web is the idea of open access to data. Trying to hide and protect your data so that it can only be used in the manner you've prescribed is the Web 1.0 mindset. Allowing open access so that others can collaborate and use your data is the Web 2.0 mindset... just something to think about.

[webmaster]

Todd, is this for your IDX solution? If so, why not run your geocoder on all properties, parse them into your mysql database (Cache them) and then call them from your database. No need to create an XML file is there?

[REW Fergus]

That would work, but the underlying problem remains. In that scenario, the geocodes would not be in an XML file, but they could be parsed from the HTML source of the map document. Every effort will come back to the inescapable fact that the technology is browser-scripting, so the browser must have access to plain-text geocodes. As long as that is true, the geocodes are there for the scraping.

[BrandonSternfield]

You could always rewrite the function, instead of taking in an XML doc, it takes in your own format, which will simply be a header, with xml inside. You'd simply take your file, skip x bytes ahead, and just read it like a normal xml. It's one way when programming non-web stuff most of us hide our info so people (usually gamers) can't edit the files (to create cheats).

As a side note, when searching for PVB99 on google, you find this thread.

[REW Fergus]

True, you could obfuscate the data somehow. I think this example might be insufficient, but if you wrote an algorithm to transpose the co-ordinates, you could create some data that would be useless to someone lifting it from the site.

Problem is that Javascript is a browser-based technology (I sound like a broken record), so anything you write in Javascript can be read by the browser user, thus rendering any attempt to obsfucate the data futile since the algorithm can easily be read and reversed.