Is it possible to hide / secure data used in webGL?

7
votes

I have learned a bit of webGL, using three.js mainly. I load .obj files and I draw them in 3D.

I have put my project online under something like : www.mydomain.com

I don't mind people looking at my source code through their browser, but the .obj files I'm showing are from someone who does not want to give them away.

I'm a total newbie concerning this.

As my source code is available to everyone I'm guessing that the .obj files are also available to everyone. So is it possible to hide or secure them so that nobody can download them ?

3
javascripthostingthree.jswebgl
No, because when you get these files to draw them they already are downloaded to the client machine...11684
Your only chance is probably obfuscation etcetera.11684

3 Answers

8
votes

I'm pretty sure you can not secure any files if you want to access and use them in Javascript / WebGL. They need to be parsed into a usable format at some point for the browser/javascript to be able to display them. You have two options:

1) Obfuscation. I don't think this is very good option, as in the end someone can always use Firebug and other tools to access somewhat useful representation of your files. You can make it a bit less easy to do by encrypting or scrambling data server-side, and reconstructing stuff in Javascript. Or just using unconventional ways to load and represent files.

You can also do some decoding / decrypting in shader code which would be one step harder to steal. But that probably applies to textures only.

2) Make the files less useful. For someone to reuse your OBJ files, they probably want to import the models to software of their choice and do something. You can not prevent that but you can strip the files of extra information that makes the files easier to work with. This will make files less desirable for any potential thieves.

I do it for completely different reasons, but my main use of WebGL involves exporting models from Sketchup to Collada, and displaying them in WebGL. My export code does some things, which as a side-effect make the exported model a pain to work with. This include making all component instances unique (de-instancing?), exploding all components and groups to plain geometry, triangulating all faces, deleting hidden geometry etc.

Would be a PITA to bring that back to Sketchup for editing without the original file... specially because the models I work with, by nature heavily depend on component and group instancing. But still, nothing prevents someone from stealing the geometry "as is".

2
votes

If someone is dowloadable to the browser then it is at the user's computer.

You can make reading files more difficult, but it will only slow down grabbing the .obj data. If someone wants to do it then he/she can eventually do it. The decryption key must be always on the client computer. So you can only slowdown the process. So the question becomes "How difficult and how complex you want to make your .obj reading code and is it worth of the effort?" Simply by adding one extra byte at the beginning of the file is probably enough to make the files not to open as is in the modelling software.

I suggest you educate your someone how internet works and simply say it is not possible or worth of trying to do it and save yourself of coming up with homebrew implementations how to make data reading more difficult.

2
votes

See the other answers but this is not unique to WebGL. ANY program in ANY language has this issue. Once the data is on the user's computer, phone, etc people can get the data. Examples:

  1. reading an iOS app's data
  2. reading a native PC app's data

On the other hand you can follow the techniques mentioned above. Use your own format. Massage the data so it's best for rendering which usually makes it bad for editing.

Also you can of course make your files require someone login to your website to read them in the first place similar to they way gmail, facebook, google docs etc require you to login. That won't prevent them from getting the files once they've signed up but. You can also setup your server so only your app can download the files. Again that won't prevent the user from getting the files once your app has downloaded them (or they've injected JavaScript through a browser extension) but it will prevent your bandwidth being stolen from other sites directly linking to your data.