
Evil.js: A JavaScript library for thwarting hot-linkers - surreal
https://github.com/kitcambridge/evil.js
======
eli
Reminds me of a script I wrote when a site based in China cloned our entire
domain and put it up at a new URL, complete with clumsily photoshopped logos.
They left a single stray call to our ad server, though, and I was able to
"hack in" and randomly flash a "This site is stolen!" message or insert an
auto-playing Youtube clip of my choice.

~~~
Xophmeister
YouTube is blocked in China...

~~~
brianpgordon
He could link to Falun Dafa exercise videos and watch as their customers
disappear one by one...

~~~
laurent123456
That will get his ad server blocked in China, which he might not want.

~~~
tlrobinson

        window.location = "http://someone-elses-site.com/Falun_Dafa_exercise_video.mpg";

~~~
laurent123456
Trolling the GFW... that could be an interesting experiment :)
[http://gov.cn/taiwan-is-a-sovereign-state/](http://gov.cn/taiwan-is-a-
sovereign-state/)

------
adamb_
I did not realize until checking out this source that dividing by zero in JS
outputs "Infinity".

[https://github.com/kitcambridge/evil.js/blob/gh-
pages/evil.j...](https://github.com/kitcambridge/evil.js/blob/gh-
pages/evil.js#L87)

~~~
derefr
And, awfully-enough, even though Infinity is a required part of IEEE754, and
happens all the time in Javascript, _JSON doesn 't recognize it._

~~~
hrjet
IIRC, JSON is a strict subset of JS _and Python_.

~~~
riffraff
is it? "null" is not valid python, I think

~~~
mercurial
It isn't. It would be _None_. I believe parent is mistaken.

~~~
hrjet
I stand corrected; I am not that familiar with python. Though I remember
reading somewhere that JSON can be _eval_ ed in both JS and Python. Perhaps
the python bit is not true.

~~~
kibibu
JSON looks more-or-less like a Python dict, but you still wouldn't be able to
parse {"x": NaN} or {"x": Infinity}

~~~
derefr
Oddly, there's actually no language that I know of that has NaN and Infinity
constants. Many languages pretty-print those float values that way, but none
of the parsers can interpret them back in.

~~~
GeneralMayhem
...do you mean other than JavaScript? They're not actually parser-level
constants, they're just defined as globals/on the window object, but they
work.

------
jt2190
Very cute. :-)

Now that we've all had a laugh, wouldn't it make more sense to have the server
respond with a redirect to a shared copy of the script hosted somewhere that
provides bandwidth for free? (Perhaps this is a sign that the script should be
open-sourced as well.)

~~~
orthecreedence
If someone hotlinked one of my scripts, I'd update the head of the script and
use the opportunity for free marketing:

    
    
        if(!window.location.host.match(/(www\.)?myapp.com/)) window.location = 'http://www.myapp.com';
    

I bet they won't hotlink after that.

~~~
danielweber
I know someone who had, of all people, Facebook hot-linking to his stuff. He
redirected all visitors to his homepage. Then Facebook's legal department
called his home number, his wife answered and got nervous, and it all ended
there.

~~~
orthecreedence
Interesting! I personally would have loved to have a chat with Facebook's
legal team about the issue. Although I'm a bit surprised they'd actually call
him instead of either a) not hotlinking anymore (seems to be the most obvious
solution) or b) just sending a quick C&D.

I'd be surprised if they actually have a leg to stand on legally if they are
hotlinking off someone's site, especially if there's have no prior agreement
to allow them to do so.

~~~
foobarian
Sounds fishy. It would take days for any kind of legal action like this.
Doesn't FB push code like every couple of hours? A code patch would have been
many times quicker.

------
owenversteeg
What if someone hotlinks evil.js?

------
JeanSebTr
So we can check the hostname from our code and hot-link evil.js from
[http://kitcambridge.be/evil.js/evil.min.js](http://kitcambridge.be/evil.js/evil.min.js)
:)

------
matthuggins
The documentation is lacking.

~~~
kirkbackus
The non-minified source is pretty self-explanatory. It modifies a lot of the
standard javascript functions. My favorite is the document.write(element) is
modified to surround the element with <marquee> and <blink> tags and then
write that to the DOM.

~~~
Jgrubb
I like Math.pow = function() { return "pow pow pow!"; }

------
thebiglebrewski
Can we get a demo?

~~~
jamestanderson
From the github page:
[http://kitcambridge.be/evil.js/](http://kitcambridge.be/evil.js/)

~~~
thebiglebrewski
Is something supposed to happen interaction-wise when I go to that page
though?

~~~
de_dave
No, it just prevents other scripts linked from the same page from working via
sneaky, nefarious means that make it hard to debug.

~~~
thebiglebrewski
Oh! OK. cool.

------
mixedbit
As a "bonus" you will make your site unusable for suffix proxy users.

------
tlrobinson
And the logical follow up, evil.css:
[https://github.com/tlrobinson/evil.css](https://github.com/tlrobinson/evil.css)

------
dpweb
To stop leechers - couldn't you just, in your script >

    
    
        (function(){
          if(document.domain != 'mydomain.com') return;
        // my script
        })();

~~~
anvandare
Why be nice? >:)

    
    
      (function () { if (document.domain !== "mydomain.com") { while (1); }})();

------
wincent
Not to be confused with evil.js:
[http://andjs.com/code/eviljs/](http://andjs.com/code/eviljs/)

------
welder
combination and minification also prevent hot-linking

~~~
jdavis703
I've had experience where someone doesn't just hotlink a resource, but they
"clone" it, and replace our ads with their ads. Assuming evil.js works by
detecting host names, this would help prevent that.

~~~
brianpgordon
It doesn't, as a cursory glance at the source would show.

~~~
toxicFork
The server could check which page is embedding the script and then server
evil.js instead of good.js :)

~~~
Dylan16807
Better hope they don't visit the real site after the fake site!

~~~
cmelbye
Don't cache the fake version?

------
jasonkostempski
Better not minify the library with JSMin.

