Skip to main content

Protecting your premium content - Javascript disabled

Client-side and server-side are sometimes referred to as front-end and back-end. The client-side of a website refers to the web browser and the server-side is where the data and source code is stored.

How Tonos works

Tonos works in the client-side through a script that is inserted in the <head> section of your page's HTML. It operates in the client-side because the user authentication is done through js libraries.

Issue

There is a downside to Tonos running in the javascript, because that means Tonos is dependant on the javascript in the browser. If a user turns off the javascript for a page, they will be able to view your premium content for free. Furthermore, Tonos can't authenticate the user because it is not able to receive the token which acts as an identifier.

HTML & CSS solution:

Every front-end “solution” can be technically bypassed but we are going to focus on making the percentage of the people who can bypass the paywall smaller. The proposed solution might not be a catch-all but most people won’t know how to get around it.

We propose a meta redirect tag inside a <noscript> tag inside the HTML <head>. Noscript fires only when JavaScript is disabled. Include this:

<noscript><meta http-equiv="refresh" content="0;url=https://blesk.cz/" /></noscript>

Inside the HTML page of the premium articles in the <head>. If you have JavaScript disabled, the noscript will fire and the HTML will redirect you to the main page.The redirect fires so quickly that it won’t give you an opportunity to inspect element and see what’s happening and what’s causing the redirect. This solution can be bypassed if you know what you are looking for.

Tonos Script Checker:

When the Tonos script is disabled(black-listed) we will provide you one extra script to add on your platform, the script will remove the premium content.

How the script works: Tonos will hide this content in cases where the Tonos script is not rendered. Which content to remove is chosen by you. All the premium content should have a common flag(css class name, e.g. “.premium-content”). Tonos script checker should be called after the Tonos script call attempt.

document
  .querySelector('.[className]')
  .style.setProperty('display', 'none', 'important');

Downsides: Tonos cannot check which article to lock and for which client, so all premium content will be locked. Each premium article needs to have a flag.

Server-side solution:

You can still know whether certain content is locked for a specific visitor through server-side if you send a request to /init/page?url=url ( See more ) by sending the appId along with the url or the contentId. This however runs into another issue, as the campaign events will not be taken into consideration, because they run in client-side.

info

To know whether a page has premium content, you need to check the pc array of objects of the JSON response. If this array has at least one object (Campaign), then that page contains premium content and is therefore locked.