Hi there,

We have a client who is asking whether their CSS code can be "hidden" to make their layout impossible to steal.

I am 99.9999999% sure the answer is no, like HTML but I wondered in case I missed something i.e. the CSS being able to be sent by PHP or something like that, I'd want to know before replying and confirming that there's no possible way.

At the moment, the only thing I can think of suggesting to perhaps make it that tad bit harder is to use an @import statement in the HTML and then in that CSS file another @import to a dated file along with others (quoted out)...

Thanks if you can clarify this for me.

Regards,

Originally posted by DanUK
Hi there,

We have a client who is asking whether their CSS code can be "hidden" to make their layout impossible to steal.

I am 99.9999999% sure the answer is no, like HTML but I wondered in case I missed something i.e. the CSS being able to be sent by PHP or something like that, I'd want to know before replying and confirming that there's no possible way.

At the moment, the only thing I can think of suggesting to perhaps make it that tad bit harder is to use an @import statement in the HTML and then in that CSS file another @import to a dated file along with others (quoted out)...

Thanks if you can clarify this for me.

Regards,

It's possible by checking referrers in PHP. Try looking at Marko (http://www.maratz.com/blog/)'s CSS. I wouldn't recommend this, though. There are lots of web developers who can do it, and some even have had problems recently (Shaun Inman, for example) with their code (and even graphics) being stolen. However, in the event that anything is stolen, we know that the information is by law copyrighted to its original author(s). I personally feel that CSS should never be hidden, since all kinds of people need to learn about it, and we'll be acting just like those people who used tables for layout and JavaScript to hide their HTML in the past (although their methods were not necessarily full-proof). In short, it's possible but frowned upon.

Hi there.
Thanks for your reply.

This is exactly what our client is looking for and I completely appreciate what you're saying as to whether it's a good idea or not.

Would you say this is (whether morally in your view) a safe way of protecting CSS, or is it quite easy to "crack" and get the code?

I have been searching around his site, and testing it, but I see nothing as to how he's done it, what code or details. Is there something I'm missing!?

Many thanks!

Regards,

Originally posted by DanUK
Hi there.
Thanks for your reply.

This is exactly what our client is looking for and I completely appreciate what you're saying as to whether it's a good idea or not.

Would you say this is (whether morally in your view) a safe way of protecting CSS, or is it quite easy to "crack" and get the code?

I have been searching around his site, and testing it, but I see nothing as to how he's done it, what code or details. Is there something I'm missing!?

Many thanks!

Regards,

Marko, the webmaster of the site to which I linked, has probably set up a constant value at the top of each page. The CSS file which is linked to has a PHP extension and can thus test for the existance of the constant variable. If it is found, it will probably output the CSS as normal; since this is a linked element, the CSS is not available to us (although if intentional, it is possible that the browser may be able to get the CSS, since it has to translate the CSS for it to be displayed on the web page correctly). When you view the file on its own, however, the constant value will not be present, so the file will know that it is being viewed alone, at which time it displays a message instead of the CSS.

Hi Jona!
Many thanks for your response and in depth explanation, sounds brilliant in the way it works, but extremely difficult too!

My PHP is limited :wink:

I've e-mailed the guy to see if he's able to provide anything, and tried searching but yielded no results on any existing code to achieve this.

*prays* he'll respond.

Many thanks again Jona.
Take care.

No you cannot. That is why copyright exists. As for that site I quite easily saw the CSS.

The XHTML master is correct; I hadn't tested it, but I mentioned that the browser could get the CSS to be outputted because it has to be downloaded in order for it to be translated by the browser. I just checked and verified this; I can see the CSS.

Hi there.
Thanks for your replies.

Can I ask out of interest how you got to see it?

Thanks!

Regards,

I just used the WebDeveloper's Toolbar extension for Firefox; you could probably go to file -> save as... and get it, too, though.

Is there any code to do this?
Whilst I appreciate it's not 'fool proof' it'd be nice to see how it works and use it.

Originally posted by Teach
Is there any code to do this?
Whilst I appreciate it's not 'fool proof' it'd be nice to see how it works and use it.

Here's a rough idea of the PHP he's using.

Header includes file; example filename "headers.php":


<?php
if(INSIDE != 1){
die('Error: you cannot access this file.');
}
?><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Strict//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Blog name | <?php echo $section; ?></title>
<link rel="stylesheet" href="/style.php" type="text/css">
</head>
<body>


Any page on the blog; example filename "home.php":


<?php
$section = "Home";
DEFINE ('INSIDE', 1);
include($_SERVER["DOCUMENT_ROOT"]."/headers.php");
?>
<h1>Header.</h1>
<p>Content.</p>
</body>
</html>


"style.php"


<?php
header("Content-Type: text/css");
if(INSIDE != 1){
die('/* If you want to see my CSS, please ask. */');
}
?>

/*** Your CSS here. ***/


I really wouldn't recommend this, because the more often this is done, the less CSS will be available to the new people. That isn't a good thing; it's like the attempts of archaic developers who tried to hide their JavaScript or HTML. It's pointless, because your code can be reproduced anyway, and you're just hindering people from learning more about designing with CSS instead of tables.

Hi Jona,
tried to get this going but no luck at all.

would you mind explaining what each part does so i'll be able to learn from this too?

best regards

Basically you define the same constant in each file and your included files will not work properly unless the included file gives the proper information. I haven't tested all of this, it is merely a guess. Besides, there's no need for you to know how to do it, since I trust you won't use it even if you figure it out. There are more practical (and helpful) things that can be done with PHP and CSS.

hi jona,

no i wouldn't be using it on a main site, just a personal local site that i'd love to get this working on to play around with.

I based it on the above, but nothing seemed to work!

my header.php already has the following headers:


<?php
session_start();

if (eregi("header.php",$PHP_SELF)) {
Header("Location: index.php");
die();
}

$header = 1;
?>

header html


so this became:


<?php
session_start();

if (eregi("header.php",$PHP_SELF)) {
Header("Location: index.php");
die();
}

if(INSIDE != 1){
die('Error: you cannot access this file.');
}

$header = 1;
?>

header html


for all my other files, i.e. index.php, test.php I have currently:


<?php
include('/home/me/header.php');
?>

html

<?php
include('/home/me/footer.php');
?>


which I put to:


<?php
DEFINE ('INSIDE', 1);
include('/home/me/header.php');
?>

html

<?php
include('/home/me/footer.php');
?>


my style.php:


<?php
header("Content-Type: text/css");
if(INSIDE != 1){
die('/* If you want to see my CSS, please ask. */');
}
?>

style here


and I'm including my CSS with:

<style type="text/css" media="screen, projection, print">@import url('style.php');</style>

Look ok?
thanks.

Is it online? What happens, do you always get no CSS? This is how I first thought he may do it, but the LINK tag calls the stylesheet after PHP has processed -- this method is fallible. He's probably doing it some other way if you can't get it to work. If it were an important step in my and everyone else's futures, I might search for some more free time to experiment. It doesn't seem necessary to me, though. He might be checking referrers or something.

<offtopic>Hot pink text oh my eyes have you got a new girlfriend.</offtopic>

Remember to put the session start first.

Haha, the inevitable complaint about my text color has finally appeared. Real men write in pink, I'll have you know!

Hi there.

I also couldn't get the code working either.

I'm not sure if this would work, but I thought it worthwhile asking.

Could you not just rename your css to say...style.php, and use:


<?php
if (eregi("style.php",$PHP_SELF)) {
die('You cannot load this file directly.');
}
?>

css code here.


?

Have you tested it? It looks like it would work to me, although the problem may still remain since it's an included LINK tag and the file is therefore called externally..probably depends on how the browser gets the source file of the LINK tag or something.

Just tried it, it doesn't work. :)
I tried both <link href="/images/style.php" rel="stylesheet" type="text/css"> and @import.

Originally posted by Jona
Haha, the inevitable complaint about my text color has finally appeared. Real men write in pink, I'll have you know!

hehe what about those "real" men who have to read it, thought about them? :p

Originally posted by Siddan
hehe what about those "real" men who have to read it, thought about them? :p

In the case of a real man who must read text written by another man, I suppose the only comment I can make is... "Sucks to be you!"

Nah, I'll change it...sooner or later. ;)

Any further ideas on this please Jona? I.e. why mine wouldn't have worked? I'm also just wanting to test this locally, to see how it goes!

thanks.

It would seem that since it's a LINK'ed file, referrers are being checked. Again, I don't have a lot of time to devote to this subject and haven't tested any of these theories. You may try something such as:


<?php
header("Content-Type: text/css");
if(!isset($_SERVER["HTTP_REFERER"])||empty($_SERVER["HTTP_REFERER"])){
echo "/* Whoops, you can't see my CSS, buddy! */";
} else {
echo '/* The rest
of your
CSS goes
right here. */';
}
?>

Hi Jona.
Thanks for that.

Seems to be 'half' working, in IE when I visited style.php directly, it opened Frontpage which showed the CSS.
However, in Firefox it worked correctly, if I viewed style.php directly the correct message was shown.

I had to change the ' on echo to " as it caused problems.

Thanks!

Originally posted by DanUK
Hi Jona.
Thanks for that.

Seems to be 'half' working, in IE when I visited style.php directly, it opened Frontpage which showed the CSS.
However, in Firefox it worked correctly, if I viewed style.php directly the correct message was shown.

I had to change the ' on echo to " as it caused problems.

Thanks!

That just means that by default you have setup Frontpage to open stylesheets; Firefox will open them directly as plain/text.

Oh right, thanks Jona.

I suppose that isn't a good way of doing it then.
:(

Going to post this in the PHP forum, as it's becoming more like that.
I really want to try and get this working for testing purposes!

Thanks.