For scripts, i know there is something like JScompress to make the scripts smaller and unreadable. but how do i do it with Playcanvas? I use Chrome inspect panel to read the downloads, and the scripts are quite readable. Do i have to download the build and compress it myself?
For models, i use Chrome to read the downloads and find out the 3d models are readable JSON, which mean it’s very easy to convert it to any 3d format. Is there any way to make it more secure? How does sketchfab do it?
Also, is it possible to protect the textures instead of sending it as native image files?
Sketchfab uses OSGJS as its rendering engine. Presumably, the models are in the file format of the engine. It’s not encrypted and I doubt there’s any obfuscation. The nature of the web today is that there is no DRM that can be applied to any web content. There’s always a mechanism to access the downloaded data somehow.
I’ve been using https://obfuscator.io/ for a web page which really mangles the code and trips breakpoints if someone tries to look in devtools. Haven’t tried it with PlayCanvas code yet though so I have no idea if it works or impacts performance.
Okay. Here is my conclusion after some more experiment.
The latest web browsers (chrome/firefox) seems avoiding NinjaRipper ripping the models. i can only get some useless fragments. But with an older firefox, i can rip the models through Ninja Ripper.It works perfectly with PlayCanvas, but for sketchfab, it can only get a messed up model. So I guess they have added some obfuscation,their model probably only works with correct shader.
I just tried obfuscator.io on my own project and it works quite well. It’s a simple project at the moment so I haven’t noticed any performance impact. It’s possible that might change as the project grows, but so far so good.
I dunno. I’m no expert, but just today I wanted to make a simple modification to a script without doing the full publish. It was simply a matter of removing two // marks to un-remark a line … or so I thought.
Turns out that the remark was removed by the concatenation process. So, no big deal. I’ll just type it in manually. But hold on. The existing script seems to be breaking the rules about using a semicolon at the end of some lines. Hmmm… So I insert my line anyway and it broke a completely unrelated part of the app. So I just went ahead and made the simple change in editor and re-published and then went and looked to see what the change looked like in the final __game-scripts.js. That’s when I noticed that event.event.preventDefault was now t.event.preventDefault.
So the concatenation is also doing more than simply running all the lines together. Of course this doesn’t make it highly secure or even very secure. But it does mean somebody has to go to a fair bit of trouble to get your code and make it work.
It minifies and renames variables. That option is available whether you publish or download a build. We recently added the option to also generate source maps so you can debug a minified build more easily.