¿Hay una fuente JavaScript externa disponible para el contexto de la secuencia de comandos dentro de la página HTML?

When an external JavaScript file is referenced,

<script type="text/javascript" src="js/jquery-1.4.4.min.js"></script>

is the JavaScript source (lines of code before interpretation) available from the DOM or window context in the current HTML page? I mean by using only standard JavaScript without any installed components or tools.

I know tools like Firebug trace into external source but it's installed on the platform and likely has special ability outside the context of the browser sandbox.

preguntado el 08 de enero de 11 a las 23:01

2 Respuestas

Nope. There's no Javascript API for loading the true content of <script> tags. This is actually not an oversight, but rather a security feature: suppose I request the .json file that Gmail requests via AJAX to load your inbox by putting it in an external <script> tag. A JSON document is valid Javascript (granted, without side-effects), so it would run without error. Then, if I could inspect the content of the external script, I would be able to read your e-mail. (I'm almost certain that Gmail is more complex than that, but most sites are not.)

So, making up a few things about how Gmail works, here's how the attack would look:

<script id="inbox" type="text/javascript" src="http://mail.google.com/OMGYOURINBOX.json"></script>

<script type="text/javascript">
// Supposing a value called `externalScriptContent` existed on a script tag:
var inboxJSON = document.getElementById('inbox').externalScriptContent;
var messages = JSON.parse(inboxJSON);
for(var i in messages) {
  // Do something malicious with each e-mail message
  alert(messages[i].body);
}
</script>

If a script tag had the value externalScriptContent, I could just put whatever URL in for the src that I wanted, and then summon up the remote file's contents, effectively circumventing AJAX cross-origin restrictions. That'd be bad. We allow cross-origin requests for remote scripts because they are run and run only. They cannot be read.

Firebug has these permissions because Firefox extensions have the ability to inspect anything that the browser requests; normal pages, thankfully, do not.

¡Sin embargo! Bear in mind that, if the script is on your domain, instead of writing it in <script src="…"></script> form, you can pull it up with an AJAX request then eval it to have access to the contents and still only request it once :)

Respondido el 09 de enero de 11 a las 03:01

If you can request the .json script that Gmail publishes then you have read my email regardless of whether the source is available for inspection, is that not right? Authentication is the mechanism that prevents this situation. Likely I'm not understanding the theoretical situation proposed. - John K

@John K: AJAX requests are subject to cross-origin permission requirements, but calls to external script files via <script src="…"></script> are not. If I were able to inspect the content of an external script summoned via <script src="…"></script>, then I could just put whatever I wanted as the src, read it, and effectively circumvent those cross-origin restrictions. The reason that <script src="…"></script> is not subject to those requirements is that the file runs and only runs; it cannot be read. I just caught my misleading phrasing in my answer, though, so edited :) - Matchu

Gracias por la aclaración. - John K

@John: Added an important note to the end :) - Matchu

Puede analizar el <script> tag and re-request the js file by XMLHttpRequest, it will likely be readily served from cache and with credentials of the current page. But unless both your requesting script and the script in the tag originate from the same domain, the browser will disallow this.

Respondido el 09 de enero de 11 a las 03:01

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.