2

When an external JavaScript file is referenced,

<script type="text/javascript" src="js/jquery-1.4.4.min.js"></script>

is the JavaScript source (lines of code before interpretation) available from the DOM or window context in the current HTML page? I mean by using only standard JavaScript without any installed components or tools.

I know tools like Firebug trace into external source but it's installed on the platform and likely has special ability outside the context of the browser sandbox.

Mogsdad
  • 44,709
  • 21
  • 151
  • 275
John K
  • 28,441
  • 31
  • 139
  • 229

2 Answers2

2

Nope. There's no Javascript API for loading the true content of <script> tags. This is actually not an oversight, but rather a security feature: suppose I request the .json file that Gmail requests via AJAX to load your inbox by putting it in an external <script> tag. A JSON document is valid Javascript (granted, without side-effects), so it would run without error. Then, if I could inspect the content of the external script, I would be able to read your e-mail. (I'm almost certain that Gmail is more complex than that, but most sites are not.)

So, making up a few things about how Gmail works, here's how the attack would look:

<script id="inbox" type="text/javascript" src="http://mail.google.com/OMGYOURINBOX.json"></script>

<script type="text/javascript">
// Supposing a value called `externalScriptContent` existed on a script tag:
var inboxJSON = document.getElementById('inbox').externalScriptContent;
var messages = JSON.parse(inboxJSON);
for(var i in messages) {
  // Do something malicious with each e-mail message
  alert(messages[i].body);
}
</script>

If a script tag had the value externalScriptContent, I could just put whatever URL in for the src that I wanted, and then summon up the remote file's contents, effectively circumventing AJAX cross-origin restrictions. That'd be bad. We allow cross-origin requests for remote scripts because they are run and run only. They cannot be read.

Firebug has these permissions because Firefox extensions have the ability to inspect anything that the browser requests; normal pages, thankfully, do not.

However! Bear in mind that, if the script is on your domain, instead of writing it in <script src="…"></script> form, you can pull it up with an AJAX request then eval it to have access to the contents and still only request it once :)

Matchu
  • 83,922
  • 18
  • 153
  • 160
  • If you can request the .json script that Gmail publishes then you have read my email regardless of whether the source is available for inspection, is that not right? Authentication is the mechanism that prevents this situation. Likely I'm not understanding the theoretical situation proposed. – John K Jan 09 '11 at 00:08
  • @John K: AJAX requests are subject to cross-origin permission requirements, but calls to external script files via `` are not. If I were able to inspect the content of an external script summoned via ``, then I could just put whatever I wanted as the `src`, read it, and effectively circumvent those cross-origin restrictions. The reason that `` is not subject to those requirements is that the file runs and only runs; it cannot be read. I just caught my misleading phrasing in my answer, though, so edited :) – Matchu Jan 09 '11 at 00:20
  • @John: Added an important note to the end :) – Matchu Jan 09 '11 at 00:30
1

You can parse the <script> tag and re-request the js file by XMLHttpRequest, it will likely be readily served from cache and with credentials of the current page. But unless both your requesting script and the script in the tag originate from the same domain, the browser will disallow this.

9000
  • 39,899
  • 9
  • 66
  • 104