Disabling javascript in a child window, from the parent

Question

Bit of an weird request, but I'd like to be able to have a parent window:

Create a new child window on the same domain (using window.open)
Prevent any javascript running in the child window

Currently, I can do this within in the child window by including the following at the very top of the page:

<script>
  Function.prototype.call = function() {};
  Function.prototype.apply = function() {};
</script>

This pretty much stops any javascript in the child page from running. But is there any way for me to do this from the parent window? Can I somehow inject this code into the child page before any scripts have a chance to run?

Or is there any other way to do this?

Any help appreciated

If you're directing the child window to an URL, the Same Origin Policy would prevent you from manipulating that page. — Diodeus - James MacFarlane, Mar 12 '13 at 20:07
@Diodeus The child page will be on the same domain, so I can manipulate it as much as I like. — bluepnume, Mar 12 '13 at 20:11
Redefining `Function`'s prototype [doesn't seem to actually work](http://jsfiddle.net/josh3736/6y7aq/)... — josh3736, Mar 12 '13 at 20:16

jcubic · Accepted Answer · 2013-03-12T20:19:48.743

2

You can use bit of server side to remove all <script> tags and inline event handlers like onclick.

EDIT

using client side you can try to grab whole page using ajax remove the scripts there and write the content to newly created window. I don't think you will be able to use

$.get('page.html', function(html) {
    var html = $(html).find('script').remove().html();
});

because scripts may be executed when added to DOM, so maybe you will need to use a parser or just regex.

edited Mar 12 '13 at 20:19

answered Mar 12 '13 at 20:07

jcubic

61,973
54
229
402

Good suggestion, but for various reasons this needs to be purely client side. – bluepnume Mar 12 '13 at 20:12
Thanks jcubic, I think this is going to be the best approach. Little bit hacky, but should achieve what I'm hoping to do. – bluepnume Mar 17 '13 at 07:35

score 2 · Answer 2 · answered Mar 12 '13 at 20:35

2

window.open() returns a reference to the newly created window. If the window is on the same origin, you're free to access it.

var popup = window.open('/some/page.html');
popup.contentWindow // = the popup's `window` object

However, the code you've come up with doesn't work. You've likely seen that it breaks jQuery, which makes liberal use of call and apply, but it does nothing to stop normal function invocation.

answered Mar 12 '13 at 20:35

josh3736

139,160
33
216
263

Yeah, you're absolutely correct, I was seeing it break jQuery and assuming the same effect for other js. Thanks for pointing this out to me. – bluepnume Mar 17 '13 at 07:36

score 0 · Answer 3 · edited May 23 '17 at 12:28

0

If the child window is in an iframe? There has been a question like that, and the answer was - you can not do this easily with php serverside.

How do I disable scripts in my iframe?

edited May 23 '17 at 12:28

Community

1
1

answered Mar 12 '13 at 20:10

Martin Turjak

20,896
5
56
76

Nope, not an iframe, a child window created with `window.open(...)`. I have full control over the window, I just need to know how to run the above javascript-blocking code *before* the child page has a chance to load any other js. – bluepnume Mar 12 '13 at 20:13

Disabling javascript in a child window, from the parent

3 Answers3