How do you log to the error console from untrusted Javascript? - javascript

In Chromium, 'console.log()' lets you print to the error console, but only from javascript embedded in the html, or in a .js file on the local machine.
What are your workarounds for debugging Javascript that is contained in .js files on a remote machine and included in a page?

Add breakpoints and / or watch expressions.
See http://code.google.com/chrome/devtools/docs/scripts-breakpoints.html

I recently had to do this with a Facebook SDK javascript, hosted by Facebook. I downloaded the script and hosted it locally for debugging. I could then add in all the console.log messages I wanted.
When everything was done I removed the local file and returned to Facebook's hosted script.
Phil's suggestion of breakpoints is also very useful when you want the value of a variable at a specific location in the code.
Another useful technique for code executed upon a user action, such as a button click, is to use the Scripts tab of the Chrome inspector, or FireBug in FF, to edit the javascript prior to execution. I've had limited use for this, but it's quite useful from time to time.

The problem is cross-domain security policy. Only javascript from the domain of the html file can use console.log

Related

How can I Extract JavaScript Source on Chrome Extension or Console-Command?

HTML :
<html> <script scr="http://someurl.com/jscript.js"></script></html>
I'm trying to extract source code of jscript.js in chrome extension.
But there is no attribute of DOM Object holding source of js.
Is there a way to extract the source code of JavaScript which is loaded on page?
(By using DOM object or some internal object, except re-downloading the script)
Because.. Some web-server returns different source code depends on the request-packet (Usually.. BAD servers do that). So If I tried to download it with different request, I can't get the same one that was loaded on the browser.
According to Is external JavaScript source available to scripting context inside HTML page?, it's not normally possible without redownloading since it's not exposed to the DOM.
An extension, however, can hook into information available to the browser.
The simplest would be to create a DevTools extension. It would only work when the DevTools are open on the page, but then you can easily access the source with chrome.devtools.inspectedWindow.getResources().
Somewhat harder, but one can use chrome.debugger API to achieve the same while DevTools are closed. It's a low-level API, but it allows doing everything DevTools can do. I don't have a ready example, but Debugger Protocol docs will help.
Neither is possible from a content script.
You can also go directly to the extension on your file system:
Where to find extensions installed folder for Google Chrome on Mac?
for example on my mac book computer:
pwd
output: ~/Library/Application\ Support/Google/Chrome/Default/Extensions/hkbhjllliedcceblibllaodamehmbfgm/1.7.1_0

Receive then implement .js files from server in a chrome extension

I have a chrome extension that, when clicked, needs to display a modal to the user. For convenience we would like to pull all the necessary code for the modal from a server and then execute the JavaScript in the context of the extension, before displaying anything to the user.
(running a Node.js server)
Is there a way to do this?
If not, any suggestions on alternative routes we could take?
cheers!
Have a read through https://developer.chrome.com/extensions/contentSecurityPolicy
In short - it's possible, but you need to serve the script over HTTPS, or else Chrome will reject the origin. You also need to explicitly write the CSP in the manifest.
"Convenience" is a strange word to use here though. What if the network is flaky or slow?

Relative Links Not working on HTML page

There is an issue I am facing in HTML page.
I have included a javascript code in that page due to which ActiveX warning message is thrown each time the HTML page is uploaded on local system.
To stop this warning being shown to the users, I have used MOTW (Mark of the Web) and included this code snippet at the top of the HTML Page:
<!-- saved from url=(0016)http://localhost-->
This line of code prohibits the warning prompt message.
But now the relative URLs on the page have stopped working.
Please help me find me a solution so that neither the ActiveX warning arises nor the relative links on the page should stop working.
Thanks in advance.
The ActiveX warnings should only arise when you are accessing your site from the local file system, for security reasons. When you access it through a (local or remote) web server the warnings should be gone.
Can you not use Apache (included in XAMPP), or something similar, to serve your pages (even locally, through http://localhost/)?
Edit:
Alternatively, you could disable that particular security setting in Internet Explorer (which I assume you use, because you mention ActiveX). Or you could try a different browser: Firefox, for example, does not have these restrictions.
Have you tried using a <base href="ENETERBASEURLHERE" />

JavaScript working differently locally than online

I've noticed that some simple scripts in JavaScript that work perfectly on my local server don't work at all online.
How can be this possible? JS client-side scripting? Any ideas?
Sorry for not providing much information, and for my English, too.
Mine was a general question.
For example:
$('#posticipa').click(function(){
var stato = $('#future').css('display');
if(stato == 'none'){$('#future').css('display', 'block');}
else{ $('#future').css('display', 'none');}
});
This piece of code works perfectly on my local Apache server on Ubuntu 9.10, with Firefox 3.6, 3.5, Google chrome and Opera.
When I upload it on my remote CentOS server, also running Apache, it doesn't work. No errors are displayed in Firebug or the console; it just doesn't run.
I'm using the same version of jQuery on both servers.
Check console in your browser for errors. If it is Firefox - install firebug, if it chrome - press Ctrl + Alt + J.
It depends on what your script is trying to do. "Any ideas?" is pretty broad. But client-side scripting has a lot more restrictions than server-side, for obvious security reasons. For example, if you could access the client's file system through client-side JS, any website on the internet would be able to take control of your system.
JavaScript Security Restrictions
Having looked at your edited question, I think it's most likely that one of two things is happening:
Some kind of error is causing the JS to fail before this code is hit (but you say FireBug isn't displaying an error, so if you've got FB set up right this shouldn't be the problem)
The entire script is never getting hit, probably due to an incorrect src attribute in the script tag.
Try putting a debugger; line or an alert somewhere very early in your JS code. That should tell you whether the script is getting hit (the debugger command should tell FireBug to go into debug mode, provided you have FB's Script tag enabled on when you load the page).
If it isn't getting hit, make sure the script's src is the correct, reachable URL. If it is, move the line steadily down your code until it doesn't fire anymore. That should help you figure out where the error is.

Looking for doc on why IE "yellow bar" shows when opening a HTML file that contains JavaScript

I have a site, from which you can download an HTML file. This HTML file contains a form with hidden fields, which is right away posted back to the site using JavaScript. This is a way of allowing users to download to their own machine data that they edit on the site.
On some machines, you get an IE "yellow bar" when trying to open the file you saved. The "yellow bar" in IE is warning that the HTML is trying to run an Active X (which it is not, there is only JavaScript doing a submit() on a form). However if you receive the exact same HTML file by email, save it, and open it, you don't have this problem. (It looks like IE is putting some more constraint on what can be done in a HTML file you saved from web site.)
My question is: where can I find documentation on this IE security mechanism, and possibly how can I get around it?
Alex
The yellow bar is because your page is executing in the Local Machine security zone in IE. On different machines, the Local Machine security zone might be configured in different ways, so you can see the yellow bar on some machines and not see it on other machines.
To learn more about the IE's URL Security Zones, you can start reading here: http://msdn.microsoft.com/en-us/library/ms537183.aspx
Look here for details on the MOTW - Mark Of The Web
If you add this to your locally served pages, IE will not show the yellow bar.
http://msdn.microsoft.com/en-us/library/ms537628(VS.85).aspx
I am not usre about any specific documnet, but if you open the properties for the file in windows explorer on the general tab is the file blocked? if so click unblock and try again and see if you gte the same issue. This is typical security for files downloaded fom the internet.
Other than that i am afraid i dont know what else to suggest.
I don't 100% follow what your JavaScript is submitting to, but if you're submitting back to the original site from the downloaded copy you'll have a problem using JavaScript as all browsers treat cross-domain JavaScript as a security violation.
JavaScript isn't allowed to read or write to any site not on the current domain
As Franci had said it is becaue you are in the local machine security context and this allows scripts to create objects and execute code that could do harm to your PC. For example you can create a File System Object and perform tasks that an untrusted page shouldn't perform generally because it could be malicious in nature.
Have you tried changing the file name from yourname.html to yourname.hta to see if the security problem goes away?
More on HTML Applications (.HTA files): http://msdn.microsoft.com/en-us/library/ms536496%28VS.85%29.aspx

Categories