Skip to content Skip to sidebar Skip to footer
Home / Dom / Javascript

Is External Javascript Source Available To Scripting Context Inside Html Page?

Post a Comment
When an external JavaScript file is referenced, is the JavaScript source (lines of code before in

Solution 1:

Nope. There's no Javascript API for loading the true content of <script> tags. This is actually not an oversight, but rather a security feature: suppose I request the .json file that Gmail requests via AJAX to load your inbox by putting it in an external <script> tag. A JSON document is valid Javascript (granted, without side-effects), so it would run without error. Then, if I could inspect the content of the external script, I would be able to read your e-mail. (I'm almost certain that Gmail is more complex than that, but most sites are not.)

So, making up a few things about how Gmail works, here's how the attack would look:

<scriptid="inbox"type="text/javascript"src="http://mail.google.com/OMGYOURINBOX.json"></script><scripttype="text/javascript">// Supposing a value called `externalScriptContent` existed on a script tag:var inboxJSON = document.getElementById('inbox').externalScriptContent;
var messages = JSON.parse(inboxJSON);
for(var i in messages) {
  // Do something malicious with each e-mail messagealert(messages[i].body);
}
</script>

If a script tag had the value externalScriptContent, I could just put whatever URL in for the src that I wanted, and then summon up the remote file's contents, effectively circumventing AJAX cross-origin restrictions. That'd be bad. We allow cross-origin requests for remote scripts because they are run and run only. They cannot be read.

Firebug has these permissions because Firefox extensions have the ability to inspect anything that the browser requests; normal pages, thankfully, do not.

However! Bear in mind that, if the script is on your domain, instead of writing it in <script src="…"></script> form, you can pull it up with an AJAX request then eval it to have access to the contents and still only request it once :)

Solution 2:

You can parse the <script> tag and re-request the js file by XMLHttpRequest, it will likely be readily served from cache and with credentials of the current page. But unless both your requesting script and the script in the tag originate from the same domain, the browser will disallow this.

Post a Comment for "Is External Javascript Source Available To Scripting Context Inside Html Page?"