1

I saw the question Inject javascript code into anonymous function scope but it seems to be not understood at all by the answers there, so I'm making a new question, to clarify the matter.

Let's say there is some code on a website like:

(function() {
    function method() {
        //do some secret stuff
    }
})();

And I have no access to the source code; say I want to make some kind of addon, or extension, that will be able to access "method". How should this be done?

I'm aware that in general, this is an anonymous function expression, so the contents of its scope are hidden, but with chrome extensions its possible to inject JavaScript code into a page before it loads, for example. Would such injected code be able to change the source code itself somehow, to add a global reference, inside the anonymous function, to method? For example, something that executes before the previous code would be, to modify the innerHTML of the script tag?

Or perhaps make a new browser, with a modified version of V8 which allows access to anonymous functions, and to host that browser online and control it with NodeJS, and browse the site, on the client side, purely through the lens of the server-side modified JavaScript engine browser? Is there perhaps another way?

If the script is not inline on the page, but rather, a link to another file which contains the anonymous function, like , would one be able to inject some JavaScript into the page, or do something else with chrome extensions, to simply redirect the HTTP reference of that link, to ones own server, which would process the JavaScript code and insert a global variable reference to the bottom of the anonymous function, or just remove the anonymous function altogether?

So for example, with chrome extensions, it's possible to redirect an HTTP request. So just append the original URL as a GET request to your server, so the above becomes ? Is there a better way?

B''H Bi'ezras -- Boruch Hashem
  • 3,665
  • 3
  • 33
  • 83
  • See [this answer](https://stackoverflow.com/a/59424277). Yes, it's possible, if you can inject code onto the page before the script runs - you can use a MutationObserver to intercept the addition of the script tag you want to tamper with, and tamper with its source code (`textContent`). If it's an external script tag, you can do the same sort of thing, prevent the addition of the tag, then replace it with your own tampered ` – CertainPerformance Apr 14 '20 at 07:02
  • See [here](https://github.com/CertainPerformance/Stack-Exchange-Userscripts/blob/master/obsolete/Experiment-Off/StackExperimentOff.user.js) for an example of a userscript I made utilizing that technique to intercept and patch Stack Overflow's JS – CertainPerformance Apr 14 '20 at 07:04
  • very interesting, I actually was having a very similar idea as you posted this comment, although I was thinking to redirect the request to the foreign URL with a chrome extension (for external scripts) and sending the URL as a get paramter or something on another server, and returning the modified version, but I realized in the comments to the github file that it would ideally be used with tampermonkey, is there some other simpler way of doing this, or is the tampermonkey / chrome extension method the best possible way? Is it possible to re-execute the javascript even after the page loads? – B''H Bi'ezras -- Boruch Hashem Apr 14 '20 at 07:33
  • It somewhat depends on who you're intending to use the code. If it's just for you, Tampermonkey is probably the easiest choice. If you're intending to distribute it to non-technically-inclined folks, an extension is better, since that way they don't have to do anything with the code themselves, all they need to do is install the extension. But I'm not sure how easy it is to replicate the `document-start` of Tampermonkey in an extension, something about a sync XMLHttpRequest sending a blob to ensure the script runs ASAP..? – CertainPerformance Apr 14 '20 at 07:49
  • Yes, with a userscript or extension, you'll be able to direct the code to run whenever you want it to, including automatically on pageload. If the script is for yourself only and you want to patch into external standalone `.js` files, you can consider using Chrome Local Overrides, they're even easier than userscripts. – CertainPerformance Apr 14 '20 at 07:49
  • @CertainPerformance Aha, so those are pretty much the only two options? I was thinking conceptually if it would be possible to do this after the scripts have already loaded and executed, is there a way to "un" execute javascript, and then re-execute it when our new script runs? – B''H Bi'ezras -- Boruch Hashem Apr 14 '20 at 07:53
  • You'd have to create an entirely new Javascript environment and then run your code *first*, but then you're back to where you started - you need a way to run your code first. There might be a way to do it by making a full-screen iframe that you fiddle with from the parent window, but I'm not sure. But some sites (like Stack Exchange) will forbid such iframes due to security, and it'd be a somewhat ugly option regardless. – CertainPerformance Apr 14 '20 at 07:57
  • @CertainPerformance I was also just thinking, the extension HTTP redirect would work for scripts that reference other websites, but is there anything in the chrome extension API that would allow me to inject a mutationobject before the page loads like your script does, to take care of inline scripts? – B''H Bi'ezras -- Boruch Hashem Apr 14 '20 at 07:58
  • You can also alter the request of the *document itself* - hard-code the HTML response you "receive", and alter the inline ` – CertainPerformance Apr 14 '20 at 08:02
  • @CertainPerformance oh you mean redirect the base URL of whereever the HTML file is located, and parse it with the server? What do you mean I won't be receiving up to date HTML, you mean if the page were to dynamically change? – B''H Bi'ezras -- Boruch Hashem Apr 14 '20 at 08:05
  • Yeah, the HTML will be the stale HTML you hard-coded with Local Overrides. It won't be up-to-date; won't work with a news site without a network request – CertainPerformance Apr 14 '20 at 08:08

0 Answers0