Loading script content from data URL

Question

I'm just testing whether it is possible to load a script via data url. To my surprise in my actual Chromium it works.

I load the following document:

<html>
    <head>
        <script type="text/javascript">
            var head = document.getElementsByTagName('head')[0];
            var script = document.createElement('script');
            script.type = 'text/javascript';
            script.src = 'data:text/javascript,alert("hello!");';
            head.appendChild(script);
            head.removeChild(script);
        </script>
    </head>
</html>

... and a box telling "hello!" pops up.

Isn't this as bad as eval()? This makes it possible to compile arbitrary contents (containing any POSTed content or GET parameters) and to "inject" it into the running code!

Can someone please tell me whether this is an intended behaviour common to actual browsers?

Related: http://stackoverflow.com/questions/9129666/whats-the-better-practice-eval-or-append-script — Michał Perłakowski, Jan 17 '16 at 23:58

score 1 · Accepted Answer · edited May 23 '17 at 10:28

1

It doesn't really differ from eval(), because it has almost the same behavior. However, in some cases eval() is not evil.

edited May 23 '17 at 10:28

Community

1
1

answered Jan 17 '16 at 23:57

Michał Perłakowski

88,409
26
156
177

Loading script content from data URL

1 Answers1