Hi Alex, it sounds like I guessed right wrt “code downloading”. FYI Here’s demo based on an alternative approach – changing the head. The main part is:

if (self.uploadMessages) { // Already exists
return;
}
var head = document.getElementsByTagName(“head”)[0];
script = document.createElement(‘script’);
script.type = ‘text/javascript’;
script.src = “upload.js”;
head.appendChild(script)

eval() is probably better from a memory perspective, this is just an interesting alternative.

Regarding encryption, Richard Schwartz started a conversation a while ago about JS decryption to protect data on the host side – Host-Proof Hosting. Hadn’t considered it from a JS perspective because – as you allude to – it’s easy enough to reveal the JS. But given the lengths people go to in order to protect their scripts, it’s an interesting idea.