If you're intent on keeping your source safe, there's a couple things you could do:

1. Use another Javascript block to create a <script> tag with the proper src="..." attribute, then delete it from the DOM.

2. Obfuscate the Javascript file in question. There's plenty of free tools out there to do this--just search for Javascript obfuscators. This isn't perfectly secure--it will seriously mess up the source code for anyone viewing it, but someone with enough time on their hands and a bit of skill can reverse-engineer it easily. It might be enough to keep script kiddies away, however.

Edit: Forgot to mention, there's no way you can hide the URL of the Javascript file from anyone remotely competent. Anyone with Firebug installed on a Firefox browser will be able to pick the URL out within seconds if they know what they're looking for.

[edited by: WesleyC at 9:35 pm (utc) on June 10, 2008]

i have tried serving it with a .php extension and giving it the correct javascript headers - which presumably should work

Yes, this should work, however, you still need to use the <script> tag. How are you linking the JavaScript file (which might be written with PHP server-side, but served with a 'text/javascript' content-type header so it's a plain-old JavaScript file by the time it gets to the client) to the HTML if you don't use the <script> tag?

Just a thought... is it possible to check the referer server-side in PHP and serve something different if the user has tried to access the JS file directly? But like WesleyC suggests, anyone with Firebug (or similar) will still be able to access the JS.

<img src="!@#$" onerror="function do_something(){etc etc}" />

<body onload="function(){
get_file_via_ajax();
inject_contents_into_head();
}" />

all of these execute javascript without using a <script> tag.