Menacing Cloud

AJAX Kill Switch. Version 2

We have previously written quite a bit on the subject of preventing website code thievery. Our favourite solution was demonstrated in the article ‘The Ajax Kill Switch’.

Now there's a better version! Based on the original idea, but a little smarter.

The Objective

It's simple. If a client, rip-off artist or general code thief wants to steal our HTML, CSS and/or JavaScript source code, we want to be able to fight back.

The following solution provides full JavaScript execution rights on the stolen website.

Our Method

This time around a JSONP cross-domain JavaScript request (via jQuery) is combined with a bit of URI processing.

You will need a blank JavaScript file, saved to the remote location of your choice. In this demo it is, but in production the domain and filename is up to you.

Include the following function in your website's JavaScript.

function killswitch(hostname, path) { if(window.location.hostname.indexOf(hostname) === -1) { // Different hostname, load killswitch script! $.getScript('http://' + hostname + '/' + path); } }

Then call the function with the domain and filename of your remote script.

killswitch('', 'ks.js');

If the website is now located where it was not intended to be (i.e. NOT the specified domain), you can now use the aforementioned JavaScript file to modify the website as you see fit.

This is because the JavaScript kill switch remains on your server, under your control.

Should you wish to fetch the kill switch 100% of the time (ignoring the domain), you'll find the following function variation more useful.

function killswitch(hostname, path) { $.getScript('http://' + hostname + '/' + path); }

This is for the those occasions where you develop a website for a client on their own server and domain. Now, if they lock you out, you have a backup plan.

You do not have to use it! If the remote JavaScript kill switch is a blank file, nothing happens. You have to explicitly specify valid JavaScript. This kill switch has a ‘safety’.

Yes, it is assumed that you are using JavaScript. jQuery will also need to be loaded to use the killswitch function in its current form.

You do not have to use jQuery, any means of cross-domain JavaScript execution would work. jQuery just makes things easier!

How Does It Work?

We start with a bit of simple URI processing. We check the hostname.
If the hostname is not recognised, then the remote JavaScript file is fetched.
The remote script is executed on successful load. Simple!

The simpler variation of the killswitch function fetches the remote JavaScript file without a hostname check, but the result is the same.

Job Done

Not quite, it is a good idea to obfuscate, compress and generally hide the evidence! This technique is not foolproof and there are all sorts of implications (legal and ethical).

All of the above is discussed at length in the original article.

We had plenty of implementation ideas, but feel free to get creative!

A CSS Kill Switch has now also been developed by another party. This is a lot simpler to implement. Very sneaky, we like it! A combination of the two techniques could be a quite potent insurance policy.


All comments, suggestions or questions via Twitter please.

Follow the author on Twitter.

ProtoFluid. ‘Effortless responsive web design testing’.

Previous Articles

Canvas Generated Icons. Read more.

Targeting Windows 8 Snap Mode. Read more.

CSS @viewport rule or viewport meta tag? Read more.

The Responsive Viewport. Missing piece of the responsive web design puzzle? Read more.

Getting the Viewport Scale.
Read more.

Hiding the iPhone Address Bar.
Read more.

Orientation Correct Screen Width.
Read more.

iPhone Title Modification.
Read more.

Optimising for High Pixel Density Displays.
Read more.

CSS3 Media Query Prototyping With ProtoFluid.
Read more.

AJAX Kill Switch. Version 2.
Read more.

URI Processing With JavaScript.
Read more.

Source Code

All source code is provided for free.

A standard disclaimer of warranty and limitation of liability applies.