I'm trying to load a script with the firebug console like this:
var script = document.createElement('script');
script.src = 'http://code.jquery.com/jquery-latest.js'; //example
document.getElementsByTagName("head")[0].appendChild(script);
When I run that code the firebug console gives me the error,
Blocked loading mixed active content "http://code.jquery.com/jquery-latest.js"
Is there a way to get around that?
I don't necessarily need to load jquery. The ability to insert scripts with firebug would be useful for development.
As an alternative solution, Firebug's command line allows you to do
include("http://code.jquery.com/jquery-latest.js");
(But https is a good idea in any case.)
Mixed content suggests that you are loading your script from an external source served over http onto your page which is server over https
So, you can use this
script.src = https://code.jquery.com/jquery-latest.min.js;
Here
is a related mozilla documentation.
For security reasons, you cannot load scripts from HTTP in an HTTPS page.
Change the script URL to HTTPS.
Consider the include() command, with which you can do what you want and you can even manage aliases to include your favorite scripts.
Note that by default, include() proposes the "jquery" alias to get jquery-latest. So would just have to use this command:
include("jquery")
Here is the documentation: https://getfirebug.com/wiki/index.php/Include
Florent
Related
I want to import raphael-min.js for my jsp. I'm using
<script src="http://cdnjs.cloudflare.com/ajax/libs/raphael/2.1.2/raphael-min.js"></script>
tag for importing of the script. But the I want to include this js locally because when rendering this script is blocked by the browser. I copy the code from the url above and save it as a js file. and include as this
<script src="${pageContext.request.contextPath}/resources/raphael/raphael-min.js"></script>.
But the problem is js is not function at all. Are there any method to download this and include in jsp file?
We may load js file adding script tag in DOM:
Try the below code:
var script = document.createElement('script');
script.src = PATH;
script.onload = function(){
FILE LOADED
};
document.head.appendChild(script);
It seems weird that a browser is blocking a cloudflare.com URL - are you using AdBlock or similar extensions? Try accessing the page through incognito or private browsing mode (assuming that the extension is disabled - the default - in that mode) for Chrome and Firefox respectively.
If you are seeing a particular error message, please post the error message - it will probably give clues as to why it is being blocked.
P.S: I would've posted a comment if my reputation allowed it. If you post clarifications, I can edit this answer accordingly.
A website is running a jQuery script. I want to use a Chrome Extension to have the site run my own version of the jQuery script, and not the normal one.
So far, I've managed to make the chrome extension find where the website calls the normal script, and I've replaced it with my own:
document.querySelector("script[src^='website.com/originaljqueryscript']").src = 'myjqueryscript';
As a test, I made myjqueryscript the exact same script as the originaljqueryscript. I set the run_at in the manifest to run at document_end.
When I try to open the website with my script enabled, the console logged an error $(...).dialog is not a function. I think this is because jQuery is not loaded in my chrome extension. So then I found which version of jQuery the website is using, and added that to my chrome extension. Now I get this error: $(…).dialog is not a function I believe that error is due to a conflict between the two jQuerys that have been loaded (one on the website, one from my extension).
Am I on the right track, or is there a better way to replace a websites jQuery script with my own?
If this is for a very specific website, loading jQuery from a specific URL, you can use webRequest API to intercept the request to jQuery and redirect it to a file bundled in your extension. E.g.:
chrome.webRequest.onBeforeRequest.addListener(
function(details) { return {redirectUrl: chrome.runtime.getUrl("js/myjquery.js")}; },
{urls: ["https://example.com/js/jquery.js"]},
["blocking"]
);
(Note: this sample is very minimal; you may need to include and inspect request headers to make sure that the source page is your target site - you really don't want to replace a CDN-provided jQuery for all sites)
This assumes that the website does not use Subresource Integrity checks, however I believe that it will bypass a script-src Content Security Policy (redirect is transparent).
Note that .dialog() is part of jQuery UI, not core jQuery; the site presumably loads both, and you'll need to intercept both. It's possible that the site actually bundles them together.
The JavaScript code below is not loading, in the JavaScript console it says,
"Not allowed to load local resource:"
Javascript:
(function () {
var script = document.createElement('script');
script.setAttribute('src','file:///home/chronos/u-1dd073c6b7b8430c0010c7429b07db331325c324/Downloads/Core/tube.js');
document.body.appendChild(script);
}()
);
This stuff is mostly pasted from other questions but perhaps you will find it useful:
Check if your host is fully qualified in here
You can also read a guide in here
Some browsers, like modern versions of Chrome, will even refuse to cross from the http protocol to the file protocol. Chrome and Safari seem to use a more strict implementation of sandboxing (for security reasons) than the other two.
Finally, you shouldn't load javascript files off a local filesystem. You need to have it hosted with your app and load it off the web server.
Create a python server using
python3 -m http.server 8086
and replace the
file:///<PATH_TO_FILE>
with https://localhost:8086/<RELATIVE_PATH_TO_FILE>
I am trying to include script to any client's page. I create firefox extension which find tag and appendChild there with my script. And that works fine.
And it works when client use http pages (It load properly and execute)
But that doesn't work when client use https pages (it load properly but not execute).
I have the same code for http and https. In my code I haven't special http and https conditions. Anyone know what can be wrong ?
I think code is ok, but ok, examples:
Injecting script (in extension):
var myScript = top.window.content.document.createElement('script');
myScript.type = 'text/javascript';
myScript.setAttribute('src','http://path/to/my/script.js');
myScript.setAttribute('onload', 'firefoxInit()');
top.window.content.document.getElementsByTagName('body')[0].appendChild(myScript);
Code to execute:
var manipulate = (function(){
alert('duper execute');
}());
https will not let you run insecure content like scripts from a non-secured url, so your http-hosted script.js won't be allowed to run. Mixed content is blocked by default in the current versions of Firefox and Chrome (not checked IE)
I've written a small userscript for Google Chrome. It works pretty fine, until I call a function initTimer() There is no such a function in my script, but it is in a script in the page on which my userscript runs, but anyway there's an error initTimer() is not defined. I've tried to write window.initTimer(), but it says Object [object DOMWindow] has no method 'initTimer'. So how can I make it work?
Thanks in advance
Because userscripts are typically sandboxed from the rest of the browser environment, userscripts cannot interact with the scripts running on the page itself, nor can scripts running on the page interact with userscripts, for security reasons.
You'll have to do script injection for this, by creating a script element in the page itself containing the code you want to execute.
var s = document.createElement('script');
s.innerHTML = 'initTimer();';
document.body.appendChild(s);
The problem with this, which may or may not break your script, is that the injected code will have no way of communicating directly with the code in the sandbox, so you'd either have to inject all of your code, or use an alternative method to communicate if you need to.