0

I am running third-party javascripts on my page and they are grabbing the href url without my consent. Is there a way to block it and avoid them accessing it without calling them from iframes?

Maybe I could redefine the window.location.href value so that they cannot access it as it is in the url?

Thank you for your help!

Shahzad Barkati
  • 2,532
  • 6
  • 25
  • 33
Rui Filipe de Freitas
  • 1
  • 1

1 Answers1

0

The location.href property is readonly. I can only come with a partial solution to this using a modified version of the greasemonkey script outlined in this stackoverflow post: Stop execution of Javascript function (client side) or tweak it

In the script below the function displayUrl() is called which alerts the document.location.href to screen. The greasemonkey script uses the Document.onbeforescriptexecute event to intercept the javascript before it get's executed and replace document.location.href with another string.

onbeforescriptexecute is only supported by firefox and is non-standard: https://developer.mozilla.org/en-US/docs/Web/API/Document/onbeforescriptexecute

So not exactly an ideal solution but this example may give you some ideas.

<html>
<head>
</head>
<body>
<script>

function checkForBadJavascripts (controlArray) {

    /*--- Note that this is a self-initializing function.  The controlArray
        parameter is only active for the FIRST call.  After that, it is an
        event listener.

        The control array row is  defines like so:
        [bSearchSrcAttr, identifyingRegex, callbackFunction]
        Where:
            bSearchSrcAttr      True to search the SRC attribute of a script tag
                                false to search the TEXT content of a script tag.
            identifyingRegex    A valid regular expression that should be unique
                                to that particular script tag.
            callbackFunction    An optional function to execute when the script is
                                found.  Use null if not needed.
    */
    if ( ! controlArray.length) return null;

    checkForBadJavascripts      = function (zEvent) {

        for (var J = controlArray.length - 1;  J >= 0;  --J) {
            var bSearchSrcAttr      = controlArray[J][0];
            var identifyingRegex    = controlArray[J][1];

            if (bSearchSrcAttr) {

                if (identifyingRegex.test (zEvent.target.src) ) {
                    stopBadJavascript (J);
                    return false;
                }
            }
            else {
                if (identifyingRegex.test (zEvent.target.textContent) ) {
                    stopBadJavascript (J);
                    return false;
                }
            }
        }

        function stopBadJavascript (controlIndex) {
            zEvent.stopPropagation ();
            zEvent.preventDefault ();

            var callbackFunction    = controlArray[J][2];
            //if (typeof callbackFunction == "function") {
                //callbackFunction ();

                if (bSearchSrcAttr) {
                    var jsScript = zEvent.target.src;
                } else {
                    var jsScript = zEvent.target.textContent;
                }

                jsScript = jsScript.replace("document.location.href", "'http://example.com'");
                eval(jsScript);
            //}

            //--- Remove the node just to clear clutter from Firebug inspection.
            zEvent.target.parentNode.removeChild (zEvent.target);

            //--- Script is intercepted, remove it from the list.
            controlArray.splice (J, 1);
            if ( ! controlArray.length) {
                //--- All done, remove the listener.
                window.removeEventListener (
                    'beforescriptexecute', checkForBadJavascripts, true
                );
            }
        }
    }

    /*--- Use the "beforescriptexecute" event to monitor scipts as they are loaded.
        See https://developer.mozilla.org/en/DOM/element.onbeforescriptexecute
        Note that it does not work on acripts that are dynamically created.
    */
    window.addEventListener ('beforescriptexecute', checkForBadJavascripts, true);

    return checkForBadJavascripts;
}

function addJS_Node (text, s_URL, funcToRun) {
    var D                                   = document;
    var scriptNode                          = D.createElement ('script');
    scriptNode.type                         = "text/javascript";
    if (text)       scriptNode.textContent  = text;
    if (s_URL)      scriptNode.src          = s_URL;
    if (funcToRun)  scriptNode.textContent  = '(' + funcToRun.toString() + ')()';

    var targ = D.getElementsByTagName ('head')[0] || D.body || D.documentElement;
    //--- Don't error check here. if DOM not available, should throw error.
    targ.appendChild (scriptNode);
}

/*--- Check for bad scripts to intercept and specify any actions to take.
*/
checkForBadJavascripts ( [
    [   false, 
        /document.location.href/, 
        function () {
            addJS_Node (replaceScript);
        } 
    ]
] );

</script>

<script>
function displayUrl()
{
    var pageUrl = document.location.href;

    alert(pageUrl);
}

displayUrl();
</script>
</body>
</html>

Note: I've added the below code to the original greasemonkey script:

    //if (typeof callbackFunction == "function") {
        //callbackFunction ();

        if (bSearchSrcAttr) {
            var jsScript = zEvent.target.src;
        } else {
            var jsScript = zEvent.target.textContent;
        }

        jsScript = jsScript.replace("document.location.href", "'http://example.com'");
        eval(jsScript);
    //}
Community
  • 1
  • 1
thebrokenone937
  • 1