In the past, I had to site lock my swf files so people couldn't easily pirate any games I hosted on my website. Are there any glaring security issues that can occur with HTML5? I just want to know what kinds of measures I will need to take to ensure people can't just outright steal my content.
Is HTML5 secure once it goes live?
Welcome to our brand new Clickteam Community Hub! We hope you will enjoy using the new features, which we will be further expanding in the coming months.
A few features including Passport are unavailable initially whilst we monitor stability of the new platform, we hope to bring these online very soon. Small issues will crop up following the import from our old system, including some message formatting, translation accuracy and other things.
Thank you for your patience whilst we've worked on this and we look forward to more exciting community developments soon!
Clickteam.
A few features including Passport are unavailable initially whilst we monitor stability of the new platform, we hope to bring these online very soon. Small issues will crop up following the import from our old system, including some message formatting, translation accuracy and other things.
Thank you for your patience whilst we've worked on this and we look forward to more exciting community developments soon!
Clickteam.
-
Is there an official response from Clickteam on this? I'd be also interested to know if HTML5 games can be decompiled once published or not.
-
faber I think mobichan's question is different from yours. I'm not a Html5 specialist so I can't answer his question (can you site lock html5 apps) but about your question, if you are talking about that decompiler, it's not adapted to HTML5 applications but it could be probably adapted. In the build 284 we started introducing incompatibilities between the CCN format and the MFA format though and we'll continue doing it in future builds. It's certainly still possible but less easy.
-
About sitelocking HTML5 games, the HTML5 object has expressions returning the current URL and host.
-
Thank you Yves, it's clear.
-
Thanks for the feedback. I was just curious if the files I upload are easily downloaded by anyone once on my webhost's server? Or if you can assume that anything on the webhost's server is basically locked? Withe a swf, since it is embedded in a page, you can just right click it or save the web address directly. But since the html5 app is a series of files run by a javascript file, I didn't know if it was possible to get the whole thing. I realize a hacker could probably do anything, but I am hoping it is limited to serious hackers (who probably don't care about my games).
-
I would think that if someone was really determined to "steal" your creation, they could download (copy) the files required for the HTML5 app using web debugging tools and by watching GET requests.
That said, if hackers got their mucky fingers on your work, they would only be able to redistribute it (except for assets) but not modify the game/app itself. Thankfully, the Runtime.js file (the heart of the creation) is heavily obscured and unreadable (when exported as a final project) and definitely cannot be reversed into a MFA again.
Olivier's suggestion is great for locking it so it only runs on a URL. The exporter also creates a index.html file in both js/ and resources/ that prevents a nosy bugger from listing the directory (which would make it super easy to download files one by one) -- If you want to be more difficult, change these default directories.
To prevent direct access to the files, take a look into creating a .htaccess file for your web server. I found these articles but haven't tried them myself:
Please login to see this link.
For Apache: Please login to see this link. -
I will chime in with some info;
First thing, if a resource is accessible on the internet through a browser, it can be downloaded, modified, and reuploaded, by whoever can access it, with readily available tools, most of them built into nearly every desktop web browser. If a resource gets used by a client, you can be sure it can be saved, and reproduced.
More specifically, the HTML5 Runtime is written pretty much solely using web technology that is served 100% to the client when in use, this includes the runtime code, your apps specific fusion bytecode, and all its sounds/graphics. All of this is loaded up front, or on demand by the runtime.
Unfortunately, its pretty much 100% impossible to stop anyone from copying and using a public internet resource, but we do take heavy steps to deter the behavior, and make it very difficult to do so in the HTML5 Runtime, and I will not say its not impossible, but its a bit above non-trivial to de-obfuscate the runtime.js code and understand it after its been 'compiled', however, the real challenging task would be going through and reverse engineering an apps fusion formatted bytecode by hand, since its not laid out in a datastructure, but read byte-by-byte in the html5 runtime. For the most part, the code behind your apps is fairly difficult to get from HTML5 apps, therefore 'safer' in a sense, but the graphics / sounds / runtime code are all readily available.
Again, all that said, you must not trust that anything that anyone can access publicly from the internet cannot, or will not, be stolen, copied, and / or redistributed, its just part of the nature of the WWW.
Participate now!
Don’t have an account yet? Register yourself now and be a part of our community!
