I am trying to include script to any client's page. I create firefox extension which find tag and appendChild there with my script. And that works fine.
And it works when client use http pages (It load properly and execute)
But that doesn't work when client use https pages (it load properly but not execute).
I have the same code for http and https. In my code I haven't special http and https conditions. Anyone know what can be wrong ?
I think code is ok, but ok, examples:
Injecting script (in extension):
var myScript = top.window.content.document.createElement('script');
myScript.type = 'text/javascript';
myScript.setAttribute('src','http://path/to/my/script.js');
myScript.setAttribute('onload', 'firefoxInit()');
top.window.content.document.getElementsByTagName('body')[0].appendChild(myScript);
Code to execute:
var manipulate = (function(){
alert('duper execute');
}());
https will not let you run insecure content like scripts from a non-secured url, so your http-hosted script.js won't be allowed to run. Mixed content is blocked by default in the current versions of Firefox and Chrome (not checked IE)
Related
I want to import raphael-min.js for my jsp. I'm using
<script src="http://cdnjs.cloudflare.com/ajax/libs/raphael/2.1.2/raphael-min.js"></script>
tag for importing of the script. But the I want to include this js locally because when rendering this script is blocked by the browser. I copy the code from the url above and save it as a js file. and include as this
<script src="${pageContext.request.contextPath}/resources/raphael/raphael-min.js"></script>.
But the problem is js is not function at all. Are there any method to download this and include in jsp file?
We may load js file adding script tag in DOM:
Try the below code:
var script = document.createElement('script');
script.src = PATH;
script.onload = function(){
FILE LOADED
};
document.head.appendChild(script);
It seems weird that a browser is blocking a cloudflare.com URL - are you using AdBlock or similar extensions? Try accessing the page through incognito or private browsing mode (assuming that the extension is disabled - the default - in that mode) for Chrome and Firefox respectively.
If you are seeing a particular error message, please post the error message - it will probably give clues as to why it is being blocked.
P.S: I would've posted a comment if my reputation allowed it. If you post clarifications, I can edit this answer accordingly.
The JavaScript code below is not loading, in the JavaScript console it says,
"Not allowed to load local resource:"
Javascript:
(function () {
var script = document.createElement('script');
script.setAttribute('src','file:///home/chronos/u-1dd073c6b7b8430c0010c7429b07db331325c324/Downloads/Core/tube.js');
document.body.appendChild(script);
}()
);
This stuff is mostly pasted from other questions but perhaps you will find it useful:
Check if your host is fully qualified in here
You can also read a guide in here
Some browsers, like modern versions of Chrome, will even refuse to cross from the http protocol to the file protocol. Chrome and Safari seem to use a more strict implementation of sandboxing (for security reasons) than the other two.
Finally, you shouldn't load javascript files off a local filesystem. You need to have it hosted with your app and load it off the web server.
Create a python server using
python3 -m http.server 8086
and replace the
file:///<PATH_TO_FILE>
with https://localhost:8086/<RELATIVE_PATH_TO_FILE>
I am developing a FF addon recently. My addon will download some configuration files before the contentScriptFile been evaluated. My code is like this:
panel.on("show", function() {
var url = "http://domain/config.js";
request({
url:url,
onComplete: function(response) {
worker = tabs.activeTab.attach({
contentScript:response.text,
contentScriptFile: [data.url("js/do1.js"), data.url("js/do2.js")]
});
...
}
})
}
But as your document has said that contentScriptFile will be run before contentScript, so if I do want to run contentScript first, how should I do?
I have tried to attach twice, first attach contentScript only, then attach contentScriptFile, but not success.
Thank you for your time.
You must not execute remote scripts in a privileged context, or execute insecure remote scripts in a potentially secure context. What you're asking fails both:
Executing remote scripts in a somewhat privileged context, namely a content script, which has some privileged capabilities regular web site scripts have not.
Execute an insecure http:// script (you gave that in the example), in the current tab, which might be https://. This would allow Man-in-the-Middle attacks. (Even if you served your "config" from https, the add-on site would still reject your submission, BTW, because it cannot be reviewed as the active content is not complete).
So, effectively, you got two security vulnerabilities, both of which can and should make your add-on end up on the blocklist.
However, you can retrieve your configuration using a non-active/non-executable format, such as JSON or XML (or plain text, if you like).
Passing these configuration values can be achieved by
using either contentScriptOptions (which is not documented in tabs nor worker, but in page-mod but should work for all, as a cursory test shows). Full example:
var tabs = require("sdk/tabs");
tabs.on('activate', function(tab) {
tab.attach({
contentScript: 'console.log(self.options);',
contentScriptOptions: {"abc": 123}
});
});
Or regular messaging.
You could use data.load from the self SDK module to load the content script in a string and append the values to the contentScript array:
worker = tabs.activeTab.attach({
contentScript: [
response.text,
data.load("js/do1.js"),
data.load("js/do2.js")
]
});
I'm trying to load a script with the firebug console like this:
var script = document.createElement('script');
script.src = 'http://code.jquery.com/jquery-latest.js'; //example
document.getElementsByTagName("head")[0].appendChild(script);
When I run that code the firebug console gives me the error,
Blocked loading mixed active content "http://code.jquery.com/jquery-latest.js"
Is there a way to get around that?
I don't necessarily need to load jquery. The ability to insert scripts with firebug would be useful for development.
As an alternative solution, Firebug's command line allows you to do
include("http://code.jquery.com/jquery-latest.js");
(But https is a good idea in any case.)
Mixed content suggests that you are loading your script from an external source served over http onto your page which is server over https
So, you can use this
script.src = https://code.jquery.com/jquery-latest.min.js;
Here
is a related mozilla documentation.
For security reasons, you cannot load scripts from HTTP in an HTTPS page.
Change the script URL to HTTPS.
Consider the include() command, with which you can do what you want and you can even manage aliases to include your favorite scripts.
Note that by default, include() proposes the "jquery" alias to get jquery-latest. So would just have to use this command:
include("jquery")
Here is the documentation: https://getfirebug.com/wiki/index.php/Include
Florent
I've written a small userscript for Google Chrome. It works pretty fine, until I call a function initTimer() There is no such a function in my script, but it is in a script in the page on which my userscript runs, but anyway there's an error initTimer() is not defined. I've tried to write window.initTimer(), but it says Object [object DOMWindow] has no method 'initTimer'. So how can I make it work?
Thanks in advance
Because userscripts are typically sandboxed from the rest of the browser environment, userscripts cannot interact with the scripts running on the page itself, nor can scripts running on the page interact with userscripts, for security reasons.
You'll have to do script injection for this, by creating a script element in the page itself containing the code you want to execute.
var s = document.createElement('script');
s.innerHTML = 'initTimer();';
document.body.appendChild(s);
The problem with this, which may or may not break your script, is that the injected code will have no way of communicating directly with the code in the sandbox, so you'd either have to inject all of your code, or use an alternative method to communicate if you need to.