I have got a JavaScript file (extremely obfuscated) on my site that handles videos.
And this JavaScript file requests another JavaScript file and that JavaScript file calls another and so on....
Can I wrap the first JavaScript file (maybe sandbox it) so any request for external resource will be redirect through my proxy?
I mean if the JavaScript file call:
http://example.com/another.js
After I will intercept the call it will be:
http://myproxy.com/?url=http://example.com/another.js.
It depends on how the js file calls the next one, By using an xhr request or by adding a script tag to the dom ... ?
Related
I want to load a html code into a webview. But the html code has several other external resources. for example in the html code I have :
<script type="text/javascript" src="//cdn3.example.com/example.js"></script>
but it seems that 'example.js' is not executed when rendering the webview.
Is it possible to achieve that ? Thank you
I have similar issue, webview loaded from file:// and won't load external resources... cors set to * on the server side too.
So digging into it further, seems my problem was I used custom ssl certs on server side and android couldn't verify the server authenticity, and so requests were being cancelled. (adding intermediate certs to app would help)
alternately
You can override webclient's shouldInterceptRequest and fetch the external scripts yourself, returning the request from which webview will draw data (make sure you don't fetch during the shouldInterceptRequest call or it will be slooooooow sequentially fetching resources; instead, return a request's subclass and start fetching data async, so by time call to getData comes you already have what you need... search so for async shouldInterceptRequest for help with that).
I've made an script for processing XML:
Extracts parts of the XML-data and displays them on a HTML-/CSS-page.
Currently I use the stringified content of some arbitrary file for doing my development. Written as a string-literal into my JavaScript.
Works great. But now comes the problem:
Of course I would like to load whatever (equal-structured) XML-files. Instead of having it in my code as a string-literal.
Normally I would load the files into my script via Ajax.
But I can't install a web-server on these computer.
I'm within an enterprise and it isn't possible to install any additional software. Restricted via group-policies etc. No chance. Forget it!
As far as I know it isn't possible to use Ajax without a web-server because Ajax communicates via the http-protocol.
So here's my questions:
I there (perhaps) a possibility to use Ajax without a web-server?
And in case of impossible:
Have I got any Ajax-alternatives to load XML-data into my script?
You can embed your xml inside script tag in your html like this:
console.log(document.getElementById('file').innerHTML)
<script type="text/xml" id="file">
<root><foo><bar></bar></foo></root>
</script>
Following is what I want to accomplish:
In the html When the page loads(onload) I want to run a CGI script which is a C program to run a function in it.
I am thinking of calling a JS function onload in html:
<body onload="MyJsFunc();">
then in the JS file:
function MyJsFunc()
{
//call MyCGIfunc()
}
Now, how do I call my cgi above?
I am not sure if what I am trying to accomplish is doable or not.
Note: I cant use jquery
CGI programs are executed by making an HTTP request to them.
If you want to trigger them when a page is loaded, then the usual approach is to have the page be generated from the CGI program in the first place.
Failing that, you can use a Server Side Include to call the CGI program. (Note: You need to have your server configured to parse your HTML document for SSI directives).
<!--#exec cmd="./my_cgi" -->
If you really want to use JavaScript, then you will have to make the browser issue an additional HTTP request. This is usually done using the XMLHttpRequest object.
var myRequest = new XMLHttpRequest();
myRequest.open("GET", "/cgi-bin/my_cgi");
myReqest.send();
you can use iframe to exec cgi. as :
<iframe src="/cgi-bin/script.cgi" width="300" height="150">
I have feedburner script which displays feeds, it looks like this:
<script src="http://feeds.feedburner.com/cnn/HIkg?format=sigpro" type="text/javascript" ></script>
I want to load this script which is on a different html page, so basically I'm loading html file with this script in it using:
$('#' + items[i]).load('content/' + items[i] + '.html');
This piece of code does load the html page but the script is not executed(working). How do I get the script to work once loaded?
According to the documentation :
Script Execution
When calling .load() using a URL without a suffixed
selector expression, the content is passed to .html() prior to scripts
being removed. This executes the script blocks before they are
discarded. If .load() is called with a selector expression appended to
the URL, however, the scripts are stripped out prior to the DOM being
updated, and thus are not executed.
If your url is just a plain url without a selector specified than the script should execute before it is removed.
Check the value of items[i] and check if it is a plain url without a selector or not.
If the url looks fine, you might be running into a cross-side scripting issue. The documentation also mentions:
Due to browser security restrictions, most "Ajax" requests are subject
to the same origin policy; the request can not successfully retrieve
data from a different domain, subdomain, or protocol.
If possible though I still would recommend for any script to be in an external file as that is good practice and doesn't clutter the html. Then you can use .getScript() as recommended by Raminson.
You can use the $.getScript() utility function:
Load a JavaScript file from the server using a GET HTTP request, then execute it.
$.getScript("/test.js")
When an external JavaScript file is referenced,
<script type="text/javascript" src="js/jquery-1.4.4.min.js"></script>
is the JavaScript source (lines of code before interpretation) available from the DOM or window context in the current HTML page? I mean by using only standard JavaScript without any installed components or tools.
I know tools like Firebug trace into external source but it's installed on the platform and likely has special ability outside the context of the browser sandbox.
Nope. There's no Javascript API for loading the true content of <script> tags. This is actually not an oversight, but rather a security feature: suppose I request the .json file that Gmail requests via AJAX to load your inbox by putting it in an external <script> tag. A JSON document is valid Javascript (granted, without side-effects), so it would run without error. Then, if I could inspect the content of the external script, I would be able to read your e-mail. (I'm almost certain that Gmail is more complex than that, but most sites are not.)
So, making up a few things about how Gmail works, here's how the attack would look:
<script id="inbox" type="text/javascript" src="http://mail.google.com/OMGYOURINBOX.json"></script>
<script type="text/javascript">
// Supposing a value called `externalScriptContent` existed on a script tag:
var inboxJSON = document.getElementById('inbox').externalScriptContent;
var messages = JSON.parse(inboxJSON);
for(var i in messages) {
// Do something malicious with each e-mail message
alert(messages[i].body);
}
</script>
If a script tag had the value externalScriptContent, I could just put whatever URL in for the src that I wanted, and then summon up the remote file's contents, effectively circumventing AJAX cross-origin restrictions. That'd be bad. We allow cross-origin requests for remote scripts because they are run and run only. They cannot be read.
Firebug has these permissions because Firefox extensions have the ability to inspect anything that the browser requests; normal pages, thankfully, do not.
However! Bear in mind that, if the script is on your domain, instead of writing it in <script src="…"></script> form, you can pull it up with an AJAX request then eval it to have access to the contents and still only request it once :)
You can parse the <script> tag and re-request the js file by XMLHttpRequest, it will likely be readily served from cache and with credentials of the current page. But unless both your requesting script and the script in the tag originate from the same domain, the browser will disallow this.