Is serving obfuscated code allowed?

Lets say I have completely un-obfuscated code.

console.log('Hello World!');

But then I have a node package to obfuscate it:

var _0x4990=['log'];(function(_0x587e78,_0x49902d){var _0x1f4ac9=function(_0x2f31a6){while(--_0x2f31a6){_0x587e78['push'](_0x587e78['shift']());}};_0x1f4ac9(++_0x49902d);}(_0x4990,0x1d8));var _0x1f4a=function(_0x587e78,_0x49902d){_0x587e78=_0x587e78-0x0;var _0x1f4ac9=_0x4990[_0x587e78];return _0x1f4ac9;};console[_0x1f4a('0x0')]('Hello\x20World!');

and sent it to the user via express.

res.send(obfuscater("console.log('Hello World'));

The files are completely un-obfuscated, but the code I sent to the users are. Is that allowed?

1 Like

I don’t think that would be allowed, see:


Would this be correct @tasha?

I think yes, a similar topic was made very recently where the answer was obfuscated code is not allowed. I think Tasha herself gave that answer.


it could be allowed, as long as glitch admins can see the unobstufacated code to prove you aren’t doing anything bad but you want to prevent reverse engineering as much as possible

(function(a, b) {
	var c = function(d) {
		while (--d) {
}(e, f));
var g = function(a, b) {
	a = a - 0x0;
	var c = e[a];
	return c;

I tried to replace some of the variable names just for the hell of it… What exactly does this do? I’m not familiar with -- and ++ (at least in front of variables). From what I can tell its some kind of anonymous function that’s messing with arrays.

Just to add on to this, it could also be that if some bad actor would trick a Glitch user to put, for example, a crypto miner in their project, it would likely be obfuscated. Maybe that’s another reason they listed it on the help center article, so that users would be wary of accepting obfuscated code into their project.

Obfuscated code isn’t listed in the Content Restrictions section of the Terms of Service:

Conduct Restrictions

While using our Services, you will treat other people with respect.

While using the Services, you agree that you will not:

  1. harass, abuse, threaten, or incite violence towards any individual or group, including other Users and Glitch, Inc. employees, officers, and agents;
  2. use our servers for any form of excessive automated bulk activity (e.g., spamming), or rely on any other form of unsolicited advertising or solicitation through our servers or Services;
  3. attempt to disrupt or tamper with our servers in ways that could a) harm our Website or Services or b) place undue burden on our servers;
  4. access the Services in ways that exceed your authorization;
  5. falsely impersonate any person or entity, including any of our employees or representatives, misrepresent your identity or the site’s purpose, or falsely associate yourself with Glitch, Inc.;
  6. violate the privacy of any third party, such as by posting another person’s personal information without their consent;
  7. access (or attempt to access) any service on the Services by any means other than as permitted in this Agreement or operating the Services on any computers or accounts on which you do not have permission to operate;
  8. facilitate or encourage any violations of this Agreement or interfere with the operation, appearance, security, or functionality of the Services;
  9. use the Services in any manner that is harmful to minors. Without limiting the foregoing, you will not transmit or post any content anywhere on the Services that violate child pornography laws or that otherwise violates any child sexual exploitation laws. Glitch, Inc. absolutely does not tolerate this and will report any suspected instances of child pornography, including reporting any of your User registration information to law enforcement; or
  10. engage in activity that significantly harms our Users. We will resolve disputes in favor of protecting our Users as a whole.

although if it’s in the ToS somewhere else, please someone point that out

hmmm, aren’t binaries technically a way to hide something bad. The only thing that can tell you what it does is the name. I suppose you can try to execute it and look at the help output but besides that there’s no way to tell if it’s a hidden crypto miner besides disassmebling it

it is dynamically generated so technically it doesn’t “contain” it.

Just gonna leave this here.