Menu
I'm working on code that is injected on web pages (using a browser add-on or with a script tag).
The problem is that we want to use global objects and variables like JSON, window.location, String.split, etc. and the implementation of these may have been changed by the web page. This may make our code fail, and it is a security problem.
Example:
>>> String.prototype.split = function() { return 'foo'; };
function()
>>> 'a,b,c'.split(','); // gives unexpected result
"foo"
So, is there a way to get access to the browser's default implementation of objects and functions as they were before they were changed? It does not have to be standard, I just want the functionality to exist.
586
Perhaps a more viable way would be to create an empty <iframe> dynamically.
Here's an example that contaminates String.prototype.split in the parent window but gets a clean one from <iframe>.
<html>
<head>
<script type="text/javascript">
function onBodyLoad() {
String.prototype.split = function() { return 'foo'; }; // contaminate original window
console.log(String.prototype.split); // yeah, it's contaminated
var acr = document.getElementById("accessor");
acr.onclick = function ()
{
var dummyFrame = document.createElement("iframe");
document.body.appendChild(dummyFrame);
console.log(dummyFrame.contentWindow.String.prototype.split); // uncontaminated
}
}
</script>
</head>
<body onload="onBodyLoad()">
<a href="#" id="accessor">Access iframe Window object</a>
</body>
</html>
Not in the ordinary sense; although there might be some exotic hacks out there.
The only way I could think of, was to make sure your code gets loaded before any other script. If that requirement if fulfilled, necessary global variables can be cloned into a safe location.
174
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
