Menu
A site that I just browsed (cheezburger.com) has apparently vulnerabilities as someone had injected lines like <script>document.location.href="http://net-cheezburger.cu.cc/"</script> into messages. Firefox redirected itself to there and X-Frame-Options stopped the framing resulting an empty screen.
Is there other ways to prevent the script from working in Firefox than adding a CAPS policy to document.location.href on cheezburger sites? That blocks legitimate changes too. Now I just alert with Greasemonkey that a script is in a wrong place so I know immediately what's going on if they try other malicious scripts.
I'd just like a temporary fix until the site itself is fixed.
I'm wondering is there way to programmatically intercept that script or redirection. If I've understood correctly you can't change inline scripts with Greasemonkey but are there other options?
447
asked Jan 27 '26 17:01
Since you're on firefox (a modern browser), you could use Object.freeze to turn the location object into read-only:
Object.freeze(document.location);
document.location.href = "http://google.com";
// No navigation happens
console.log(document.location.href);
// => "http://stackoverflow.com/questions/22290948/stopping-script-from-changeing-document-location-href"
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
