I hate you! 😡

[jimmywarting]

Remove this repo/lib from github, npm and everywhere on the web
You are making the web worse, slower (up to 80%!!!) and less secure. anti virus reports your page as insecure (#51)
😠

Have some Content-Security-Policy (CSP) on my domain and don't allow eval b/c it's evil❗️
The service i used have obfuscated the code and it's bad! can't use there service b/c of it.

[slig]

Install https://noscript.net/ and be happy.

[Baker68]

@jimmywarting You are more evil than the developer of this beautiful masterpiece.
It's not his fault, so don't ask him to remove it.
There are gazillions of things that should be removed from github before even thinking of javascript-obfuscator. Just think about how many malware samples can be found on github + www , with source code ...

[sanex3339]

Have a nice day too.

[jimmywarting]

@StoicaNicusor how can i be any more "evil" than the developer of this beautiful masterpiece junk? by expressing my hatred for this obfusicator in a country with freedom of speech? The developer that has written this tool or everyone else that have some interest in this have the intention of using it themselves, either for protecting your own code or embedding malicious code.
And do you know what...? Any javascript can be defused. It won't protect your code (only making it harder to read).

Obfusing code often involves execution methods that are create from strings (often used are eval())
That is a security hole if anyone where to write any xss attack and developers where using eval() somehow. This can be secured with setting a CSP flag but now have to be disabled b/c of your (un)protected code. You are now lowering other developers standards and also making the code run slower. not to mention that the webpage now is blocked by some antivirus program - now who is the evil guy? The guy that express his feeling or the developer that writes this with the intention of using it or sharing it with others so other can use it?

Don't say it's me or "It's not his fault" cuz then your are dumber then what you think you are

[slig]

by expressing my hatred for this obfusicator in a country with freedom of speech?

You clearly don't understand what freedom of speech means. See this for a TL;DR https://xkcd.com/1357/

This can be secured with setting a CSP flag but now have to be disabled b/c of your (un)protected code.

No, it doesn't. Simply don't host any code that uses eval on your code and you don't have to disable anything on your server.

not to mention that the webpage now is blocked by some antivirus program

False positives happen all the time. If you're not happy with that, use a proper OS that doesn't need antivirus or learn how to use the Internet without getting virus. Better yet, if you can't do that, get an iPad.

There're paid SaaS that obfuscate JS code and they existed long before this project. Go fight them.

[sanex3339]

Hi, @jimmywarting. Obfuscator is just a tool, and this is the choose of any developer: obfuscate their project or not. It is not a simple tool and any person who will use it should know a price of using it (performance decrease and increased file size).

So, if you have problem with CSP and evals that are existing in a some obfuscated code that you want to use as third-party in your site - you should contact authors of this third-party libraries and let them know about your problem. Obfuscator allows to disable evals by choosing target: 'extension'.

Anyway, evals using in few places, mostly as compact way to get global object (window or global).

[jimmywarting]

@sanex3339 that is something i can agree on. I will also take it up with the authors of my third-party library.
If i could make a small request then it would be for target to change it's default to be extension so eval won't be used. since it's eval

@slig sure i could get a ipad but what about all the rest of my visitors then?
Surly i have to write something myself from scratch. if the third party would have avoided this it would save me a lot of time

[sanex3339]

I wont change default target to extension because browser is the primary target for obfuscation.
Anyway, you should know that simple eval that just integrated in source code isn't dangerous.

Evals are becomes dangerous when they executed some external code that you can't control.
In case of javascript-obfuscator, evals - this just are isolated small parts of code and their primary goal is to get global object.

[sanex3339]

But i think i should rename Extension target on BrowserNoEval

[SacDin]

This is beautiful project through which developers can protect their source code and even license commercially if needed. If you have an issue, find your solution rather than blaming artists.

[rinogo]

@sanex3339 Are there other Issues or resources that discuss the security implications of javascript-obfuscator's use of eval()? Also, how much does browser-no-eval reduce the usefulness of the obfuscation? I'm inclined to use browser-no-eval just to be safe.