2

Source maps are extremely helpful when stepping through minified library code, among other things. The first few lines of a .js file using source maps could look like this by default:

/*! jQuery v1.10.2 | (c) 2005, 2013 jQuery Foundation, Inc. | jquery.org/license
//@ sourceMappingURL=jquery.min.map
*/

If you don't have jquery.min.map in the same directory, a browser that supports source mapping will make a redundant http request resulting in a 404 error (sounds familiar, favicon anyone?).

I've noticed that sourceMappingURL could point to another domain; I'm not advocating the practice but it seems peculiar that it wouldn't be subject to CORS:

/*! jQuery v1.10.2 | (c) 2005, 2013 jQuery Foundation, Inc. | jquery.org/license
//@ sourceMappingURL=//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.map
*/

Are mapped unminified sources safe? i.e. if in the example above the mapped server were compromised and malicious code added to the source, could/would it get executed? What about if you're debugging code and stepping through it? I can't find any implementation details that would answer this.

Community
  • 1
  • 1
Oleg
  • 24,465
  • 8
  • 61
  • 91
  • The code in the source map isn't executed, it's just used for display in the debugger. – Barmar Sep 27 '13 at 00:15
  • Does this answer your question? [How to use JavaScript source maps (.map files)?](https://stackoverflow.com/questions/21719562/how-to-use-javascript-source-maps-map-files) – Michael Freidgeim Aug 07 '21 at 13:18

1 Answers1

5

When you step through code, you're executing the minified code, not the code in the source map. The source map is just used for display in the debugger.

Barmar
  • 741,623
  • 53
  • 500
  • 612