Low-Hanging Fruit: Obfuscating values in JavaScript

I'm making an in-browser game of the type "guess what place/monument/etc. is in this satellite/aerial view", using Google Maps JS API v3. I can't just take a screenshot, as this seems to be specifically forbidden by Permission Guidelines for Google Maps.

However, I need to protect against cheaters - you have to pass a google.maps.LatLng and a zoom level to the map constructor, which means a cheating user only needs to view source to get to this data:

<script type="text/javascript"
  src="http://maps.google.com/maps/api/js?sensor=false"></script> 
<script type="text/javascript"> 
  function initialize() {
    var myOptions = {
      center: new google.maps.LatLng(55, 145), /* this */
      zoom: 10, /* and possibly this */
      mapTypeId: google.maps.MapTypeId.SATELLITE,
    }
    var map = new google.maps.Map(document.getElementById("map_canvas"),
                                    myOptions);
  }
</script> 

I am already unsetting every value I possibly can without breaking the map (such as center and the manipulation functions like setZoom()), and initializing the map in an anonymous function (so the object is not visible in global namespace).

Now, this is of course in-browser, client-side, untrusted JavaScript; I've read much of the obfuscation tag and I'm not trying to make the script bullet-proof (it's just a game, after all). I only need to make the obfuscation reasonably hard against the 1337 Java5kryp7 haxz0rz - "kid sister encryption", as Bruce Schneier puts it. Anything harder than base64 encoding would deter most cheaters by eliminating the lowest-hanging fruit - if the cheater is smart and determined enough to use a JS debugger, he can bypass anything I can do (as I need to pass the value to Google Maps API in plaintext), but that's unlikely to happen on a mass scale (there will also be other, not-code-related ways to prevent cheating).

I've tried various minimizers and obfuscators, but those will mostly deal with code (which in this case is not the "secret"), the values of variables are still shown verbatim.

At @Pointy's suggestion, I checked the HTTP requests closely, and one of them does send the lat/lon in the URL; although that's disappointing, this request happens between many other requests, so it won't be noticed right away. Fortunately, the goal is only to make it harder to find the l开发者_Python百科at/lon, not bulletproof.

TL;DR: I need to obfuscate three values in JavaScript. I'm not looking for bullet-proof armor, just a sneeze-guard. What should I use?

It will be best to obfuscate your entire code base, instead of just minification. That way, it would be extremely difficult for the user to know which variable to look for the lat/long values.

The Dojo Toolkit can be used with the Closure Compiler in Advanced mode for complete obfuscation. If you use a JavaScript library but also need to obfuscate your whole code to protect your IP, you should consider Dojo.

http://dojo-toolkit.33424.n3.nabble.com/file/n2636749/Using_the_Dojo_Toolkit_with_the_Closure_Compiler.pdf?by-user=t

dont waste your time with the obsfucation. compress the code (yuic, closure) and done with it. as you said, the code runs @client side, no point in obsfucating anything.

eg, something like this:

for (var secret = 0; secret < 10; secret++) {
   alert(secret);
}

gets 'closured' into this:

for(var a=0;a<10;a++)alert(a);

you can play around with closure online

if you want to explicitly 'hide' data segments: compress / 'crypt' them in some form, JavaScript implementation of Gzip might help with that.