Protect JavaScript Source Code

Protect JavaScript Source Code

The JavaScript source code of your application can be protected by compiling to native code and loaded by NW.js. You only have to distribute the compiled code with your app for production.

Compilation

JS source code is compiled to native code with the tool nwjc , which is provided in the SDK build.

To use it:

nwjc source.js binary.bin

The *.bin file is needed to be distributed with your application. You can name it whatever you want.

Load the Compiled JavaScript

nw.Window.get().evalNWBin(frame, 'binary.bin');

The arguments of the win.evalNWBin() method are similar with the Window.eval() method, where the first parameter is the target iframe (null for main frame), and the 2^nd parameter is the binary code file.

Load Compiled JavaScript from Remote

Compiled JavaScript can be fetched from remote (e.g. with AJAX) and executed on the fly.

var xhr = new XMLHttpRequest();
xhr.responseType = 'arraybuffer'; // make response as ArrayBuffer
xhr.open('GET', url, true);
xhr.send();
xhr.onload = () => {
  // xhr.response contains compiled JavaScript as ArrayBuffer
  nw.Window.get().evalNWBin(null, xhr.response);
}

Note

The compiled code is executed in Browser Context. You can use any Web APIs (such as DOM) and access NW.js API and Node API like other scripts running in browser context.

Known Issues

Before 0.22, the compiled code runs slower than normal JS: ~30% performance according to v8bench. Other non-compiled JS source code will not be affected. In 0.22.0-beta1, this issue has been fixed. Please check our blog post: https://nwjs.io/blog/js-src-protect-perf/

The compiled code is not cross-platform nor compatible between versions of NW.js. So you’ll need to run nwjc for each of the platforms when you package your application.