JavaScript is not security
Recently I attended my grandmothers 85th birthday party. The family made the decision to have a professional photographer come to the event and take some pictures of the family. The interesting part came when the photographer put the pictures online for us to view so we could decide which pictures we wanted to purchase. The site was perhaps the most irritating photo gallery I’ve ever seen. It loaded thumbnails of the images on the page, and then as soon as you moused over the image, it replaced the image with a blank image. You could click on the now blank thumbnail and have it load a full sized version of the image. The full sized image also used this irritating mouseover trick. Presumably this was to prevent people from right clicking on the image and choosing save Image as…
Anyone who is web savvy will realize this is of course not secure at all. In order to display the image on my machine, the image has to be sent to my machine, which in most cases means there is a url directly to the image. So of course a quick browse of the source code revealed the direct link to each of the images. It would have been trivial at that point for me to download any of the images I wanted.
Here are some lessons to be learned:
1. JavaScript is not security. Preventing right clicking on something does not protect that resource. It will prevent the technologically challenged from grabbing your content, but it will also probably confuse and irritate those same users far more than intended.
2. Web Developers need to fully appreciate the difference between server side code and client side code. You as the developer have absolutely no control over the client side code. You create it and send it to the client, but you cannot be sure that anything coming back from the client is what you originally sent them. This is a huge source of site vulnerabilities.
3. Irritating your users is probably not the best practice. When someone mouses over an image and it simply disappears, most users will think it means your site is buggy, and therefore not to be trusted. It’s doubtful that most neophyte users would realize this is a flawed attempt at a security measure.
What could the site have done to achieve the same end but at the same time be far less obtrusive? The easiest solution that comes to mind would be watermarking the image. That way, the photographs have much better protection. It’s very unlikely that people will add watermarked images to their photo album. At that point they will actually purchase the image as desired.