#1 What if you use Eric's example but instead of including a
static .js file you call a CGI program on the server instead.
The CGI program will conditionally send back the inline
speak. I'll leave it up to the reader to think up their own
methods of making this determination but you can try using the
HTTP_REFERER information, for example.
#2 Try client-side XMLDOM, ActiveX or almost anything that opens
up a new connection to the server and downloads data. In the
XMLDOM version a DIV tag's innerHtml property can be set to the
text from the stream; view-source will just show the empty DIV
#3 Various people have Java applets that will do this. Go find
one if you dig Java.
#4 MIME encoding comes with its own cool obsfucation, allowing
you to completely screw up an HTML stream with equivalent
characters. I won't go into the details but have previously
implemented something like this after reviewing some of HP.COM's
#5 Try using a frameset to frame the contents of the private
stuff and the latter includes a "right mouse click" handler of
your choice. The private content might be provided via CGI and
checks pedigree just like in the first example above.
#6 For IIS platforms write an ISAPI filter that checks pedigree
as in the first example, conditionally providing the
aforementioned private content rather than playing the CGI game
and returning a 404 to those disembodied requests.