Steve Grunwell

Open-source contributor, speaker, and coffee snob

Bypassing JavaScript Anti-Clipboard Measures

All Things Must Pass album cover by George HarrisonAs I write this, my new Epiphone Casino is sitting in my lap and I’m looking up George Harrison guitar tabs. Unfortunately, when you’re best known as one of the Fab Four, lawyers love to block access to your work that doesn’t bring in royalty checks for your estate. This can make finding tabs—which are often user-submitted works—for artists like The Beatles difficult to find. When looking for one song in particular, What is Life, my go-to tab site came up short.

"This tab has been removed" screen on Ultimate-Guitar.com

Come on, just lemme learn the song!

Begrudgingly, I turn to Google for “George Harrison What is Life tab”, getting a spammy list of results full of ad-filled tab sites of questionably quality (any other guitarist that’s searched out tabs this way before should know exactly what I’m talking about). I eventually found an incomplete, but close enough version of the tab that could at least help me figure out how to play along with the song.

When I went to print the tab (I’ve recently started saving tabs for songs I want to remember to PDF and keeping them in Dropbox), I get a lightbox informing me that printing is a premium feature. The “Download PDF” button triggered the same modal. Ugh.

I opened Chrome’s Web Inspector, but then decided jam time isn’t the time to waste stripping out the unnecessary markup and re-adjusting space in my text editor. The tab was already being displayed in a <pre> element, so I figured I’d just copy and paste the already-monospaced chords and lyrics into my text editor. Highlight the text, hit CMD+C and…another f’n modal? Son of a bitch!

Full of piss and vinegar, I made a solemn vow that I would break their anti-clipboard measures and publish the results; I won’t publish the site name, as a) I don’t want to send any traffic to a site that pulls crap like that and b) considering they have at least one JavaScript file that they’ve obfuscated (for the record, obfuscating your JS does nothing for your site “security”), they’d probably claim that I “hacked” their site through Web Inspector. I will say, however, that the site name rhymes with “e-dhords.dom”.

As I started digging through their site’s source, I was searching for keyCode references in their JavaScript, which is the common way to implement anti-clipboard measures. For example, take a look at this snippet from Stack Overflow:

In all my two minutes of searching the most obvious locations, I didn’t come across an elegant way to crack the safe. Fortunately, anti-clipboard measures are less like safes and more like plate glass windows, so I did what any pissed off musician would do: I threw a brick through it.

In my console, I simply typed:

You could set them to undefined, null, or the expletive of your choice; the important thing is this effectively kills jQuery on a site, preventing their annoying “don’t copy these tabs, support our crappy site instead!” modals and other anti-clipboard measures. Obviously this depends on the site using jQuery and will also break the rest of the page functionality (at least until you refresh), but it works in a pinch. You could also trigger any sort of JavaScript error you’d like and probably get the same result, but this is simple, elegant, and gives you a smug sense of satisfaction.

If you’re running a site that uses JavaScript to prevent people from copying text, saving images, etc. just remember that it doesn’t take an expert hacker to get the content. Will it prevent your average user from grabbing the content? Maybe, but all it takes is a JavaScript error or someone with a basic understanding of developer tools to circumvent your so-called “security.” Anything you send to a browser will be available for download by anyone motivated enough to do so! </rant>

With that, I’m going to go back to playing my new guitar.

Bonus: In case you don’t listen to it as often as I do (which is, like, all the time), here’s What is Life:

Previous

Making Apps Personal with Gravatar

Next

Recap: CodeMash 2015

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Be excellent to each other.