Hi there - Working on developing a tool that will be completely xhtml and javascript-based and will run on my customer's local machines within a web browser. My concern is thus. The install program I'm putting together will require authentication and upon getting a proper key will install on the users machine / local drive. Problem is this. Javascript cannot access the local hard drive, so I'm kind of limited as far as ways by which I can dissuade would be pirates of copying and re-distributing the locally-stored html and .js files (which make up the entire tool I'm developing). I can of course obfuscate the files, but in the obfuscated form they are still functional. Does anyone here have a clue as to how I may upon installation implement some type of user permission settings that correlate with perhaps a unique system id like a mac address, etc..., so the files (html and js) are given unchangeable (to a point) permissions that will only allow them to be opened on the machine they were legitimately installed on? I know this is a sticky subject, especially considering that html, xml, js are more or less meant to be open, but because they represent the bulk of this tool I'm developing and will ultimately (I hope) be selling to customers for a few dollars, I would like to make it as difficult as possible for large-scale unauthorized replication and redistribution to occur. Any takers?
JavaScript cannot establish any connection to whatever computer, except to download a new HTML page or to send mail. There is really no way to do this with HTML or JS files. However, if you make the application run by double clicking an EXE you can do many things. You can get their machine ID and encode all the files in relation to their machine. Then decode them when the EXE is opened. But with simply JS and HTML there's really not much you can do.
If the customers are likely to have an internet connection, you could make part of the functionality server-based, so that the javascript will request data from your server (this will vary based on what your application actually does). That way you can have a full list of requesting IPs in your server logs. If there's a sudden jump, and you haven't sold any extra copies, you can start requiring customers to register the IP addresses of the machines they'll be using. The ideal way would be to do something like that in a way that doesn't cause your customer extra trouble.