|
WebApp Sec
mailing list archives
Re: [WEB SECURITY] Importing large code piece into Javascript context without SCRIPT SRC=...
From: "Amit Klein (AKsecurity)" <aksecurity () hotpop com>
Date: Fri, 14 Oct 2005 20:05:05 +0200
On 14 Oct 2005 at 10:56, Jeremiah Grossman wrote:
Admittedly, I was a bit confused by what your trying to achieve with
code. So sticking the question at hand...
"Importing large code piece into Javascript context without SCRIPT
SRC" ...
I take to do not use the HTML syntax... <script src="http://foo/
file.js"></script>
Here's an idea..
1) DOM Programming
var js = document.createElement('script');
js.setAttribute('src', 'http://foo/file.js');
document.body.appendChild(js);
* same effect, but different style.
Not fair ;-)
This will not be allowed (I supposed) by Content-Restrictions that specify no external code
(see the link in my original writeup). I think (hope...) that the Content-Restrictions
would apply to any JS executed, and to dynamically created HTMLs (such as the above).
And there's also a Content-Restriction against creating/modifying HTML nodes.
But yes, I suppose I should have clarified this. So thanks!
-Amit
 By Date 
By Thread
Current thread:
| 
Intro
