the wrongness of “how do i disable right-click on my web site?”


This question comes up frequently and generally the asker really means, “How can I prevent people from stealing the [content | script] from my Web site?”  And there are a few things you can do to make it more difficult.  You can add onContextMenu handlers (to prevent the default context menu from displaying).  You can obfuscate your script and have your html reference the script from a file (to make the script harder to read/understand).  You can cancel onDragStart (to prevent drag-and-drop of images to the desktop).  You can instruct the browser not to cache the data using http-equiv (to prevent clever people from simply copying the file from the cache directory). 


There are probably a few more things along these lines, but they are all in the same catagory.  None of these will ultimately prevent someone from using source or content from your site.  The reason for this is all of the above things require the client to behave correctly.  You cannot control the client.  For example, Internet Explorer always has the View Source option on the menu.  There are other products which provide tools to visually inspect the DOM. 


A site’s intellectual property is protected (in the US) by US Copyright Law.  However, there seem to be a large number of people who want their site to be viewable for free by the masses and at the same time they want to be 100 per cent sure people save or copy the data on their pages.  This is unrealistic.  If the data is coming down the wire to a computer, the user of said computer will always be able to find a way to get the data.  An analogy would be FM radio.  You can broadcast all you want, but you cannot prevent someone from recording the broadcast.  You can raise the bar with your Web site by obfuscating, disabling, not caching, etc.  You can make it more difficult; you cannot make it impossible.  The correct way to protect your data is to require authentication with the server and then encrypt the subsequent communication. 

Comments (18)

  1. jeffdav says:

    As a footnote, I would like to point to some (in my opinion) interesting documents I found while contemplating the nature of the Web.

    http://www.zeltser.com/WWW/

    http://www.w3.org/DesignIssues/Overview.html

    http://www.w3.org/Summary.html

    http://xanadu.com.au/xanadu/faq.html

  2. Jerry Pisk says:

    If you instruct the browser not to store a copy of your document in the cache (as in Cache-Control: no-store) IE will not give you the option to view source. Neither it will on an SSL page if you disable saving encrypted pages to disk (which should be the default). However other browsers, ones that actualy do allow you to see the markup (IE doesn’t have that feature, all it does is launch notepad/word/whatever with a cached copy of the document, but it doesn’t display the source itself), do not have these problems and do allow you to see the markup no matter what you do. Also debuggers (both Microsoft’s script debugger and Mozilla’s script debugger) will always allow determined people to see both the markup and all the scripts in your page.

    It would be nice though for someone to actually summarize why it’s not a good idea to disable right clicks, not just few vague paragraphs about how it’s not going to stop someone from seeing your markup/scripts/styles.

  3. jeffdav says:

    There is nothing inherently wrong with disabling right-click; it just often the wrong question to be asking. From a UI perspective I am often annoyed when right-click does not do anything– in Web pages and applications.

  4. Mike Dimmick says:

    There’s always the MikeBrowser:

    C:> telnet blogs.msdn.com 80

    <press Ctrl+]>

    Microsoft Telnet> set localecho

    Microsoft Telnet> <press Enter>

    GET /jeffdav/archive/2004/05/06/127443.aspx HTTP/1.1

    Host: blogs.msdn.com

    <server spews response>

    Of course, disabling caching massively increases the load on your server…

  5. Jerry Pisk says:

    I have yet to hear a valid reason why would you want to disable right click on a web page. There are valid reasons to provide your own context menu on some elements of the page but not to disable the default and not to provide any.

  6. jeffdav says:

    I agree. If I have installed browser extentions which are accessed through rclick, such as translator thingies, or the zoom stuff Tony [ http://blogs.msdn.com/tonyschr/archive/2004/05/05/126305.aspx ] mentions, I cannot use those on sites that disable rclick.

  7. Disabling right-clicking is a Bad Idea IMO because it breaks the concept of a Web page from a usability standpoint. It would be like creating a Windows desktop application without a Menu, or without having F1 launch the help.

    I noticed one site basically didn’t want people to save the images (it was a place where you could buy the images from your wedding), so they used a bit of client-side JavaScript so whenever you moved the mouse over the image it changed the image to something that said, "MOVE YOUR MOUSE OFF THE IMAGE TO VIEW THIS IMAGE." To me, it seems like a watermark in the preview image would be sufficient…

    The point is, if the bits are getting sent to your browser, I don’t see how someone could not somehow get the data. The only mechanism I could think of that would prevent someone from saving the bits at all would be to use a Java applet or something that would accept an encoded stream of bits and decode it and display.

    If you need to protect your IP THAT MUCH, perhaps a Web site isn’t the ideal medium to use to deliver your content…

  8. jeffdav says:

    Scott – I agree.

  9. I’m remided of a situation where a person was describing the effort they went to to stop people stealing their images. They broke the image apart into dozens of gifs and used a table to correctly reassemble them, making it difficult for anyone that had the gifs to reassemble them back to the image but it would still look fine to a web browser. (There are tools that "cut" images into pieces, but reassembly ones are not so common.)

    The look on his face when I mentioned the "print screen" key was priceless.

  10. The wrongness of "how do i disable right-click on my web site?"

  11. write in the address field of your IE:

    view-source:http://www.microsoft.com/ and you get it 🙂

  12. Peter Torr says:

    Lowest tech / cheapest "hide the source" trick:

    Have 50 newlines at the start of your HTML. Users go View -> Source and see a blank page in Notepad.

    They of course don’t notice the scrollbar leading to the hidden treasures below…

  13. jeffdav says:

    Or you can put a lot of nonsense at the top that looks like code inside a comment block.

  14. JoshS says:

    There is also Packer:

    http://dean.edwards.name/packer/

    It obfuscates JS code with the purpose of saving on the file size, and the side effect of making it completely unreadable.

    But yes, messing with expected browser functionality is pretty much always a bad idea.

  15. just plain wrong says:

    share code and be happy

  16. "http://www.kamun.com/

    "http://movie.kamun.com/

    "http://www.kamun.com/sitemap/index.htm

    "http://www.kamun.com/sitemap/movie01.htm

    "http://www.kamun.com/sitemap/movie02.htm

    "http://www.kamun.com/sitemap/movie03.htm

    "http://www.kamun.com/sitemap/movie04.htm

    "http://www.kamun.com/sitemap/movie05.htm

    "http://www.kamun.com/sitemap/movie06.htm

    "http://www.kamun.com/sitemap/movie07.htm

    "http://www.kamun.com/sitemap/movie08.htm

    "http://www.kamun.com/sitemap/movie09.htm

    "http://www.kamun.com/sitemap/movie10.htm

    "http://www.kamun.com/sitemap/movie11.htm

    "http://www.kamun.com/sitemap/movie12.htm

    "http://www.kamun.com/sitemap/movie13.htm

    "http://www.kamun.com/sitemap/movie14.htm

    "http://www.kamun.com/sitemap/movie15.htm

    "http://www.kamun.com/sitemap/movie16.htm

    "http://www.kamun.com/sitemap/movie17.htm

    "http://www.kamun.com/sitemap/movie18.htm

    "http://www.kamun.com/sitemap/movie19.htm

    "http://www.kamun.com/sitemap/movie20.htm

    "http://www.kamun.com/sitemap/movie21.htm