Prevent page from reading changes made by extension - javascript

I'm writing a chrome extensions which will make some changes to a page using an injected content script. I don't want the page to reverse these changes or read them. Is there any way I can do that?
If it's not possible with content scripts, is there any other way to do it in a chrome extensions?

You can't lock your DOM changes from further modification by the page, there's nothing you can do to prevent the page from reverting any changes your extension makes. The best you can hope to do is capture any events and attempt to block or reverse, but anything like that is likely to be very code intensive.

Related

hide source of HTML page using javascript

I saw How to hide html source & disable right click and text copy? . One of the answers say use ctrl+u to view the source. But, using shortcut.js I can override ctrl+u as well. How do I view source in that case.
There is no way to prevent this. Someone could easily download the page using a non-browser tool like curl or wget, or log all HTTP traffic with Wireshark.
Use this. http://www.fiddler2.com/
Depends on the browser, but you can go to View -> Page Source in most to view the source. You cannot override that, however.
Furthermore, it's considered bad practice, and someone could also just as easily override the functionality through a tool like Firebug.
You can't stop people. It will be passed over the network, and sniffable through Fiddler, or someone can use a text based browser, or disable Javascript entirely, or look through their cache folder for the files they downloaded from your site.
You cannot stop people from seeing your source.
Well it's not possible to prevent users from seeing your script. But what you can do is to make it mire harder that user quits trying after few common methods.
I recommend you to load an initial page. Then load the whole page by using ajax. You can show a friendly loading gif too. This technique has following adanages,
browsers don't show generated HTML. Developers knw how to see this. But Normal user will not find it easily
if any user just press Ctrl+u it'll show the initial page.
wget, curl tool will not work at the first time.
additionally you can obfuscate the main page (which you are going to load by Ajax).
It's nearly impossible to stop people fetching the HTML from your website. I don't see any reason you'd want to hide it in the first place anyway. Hiding something?
Want to view the source no matter what javascript is being used to hide it? cURL the page.
Even if you disable right-click, you can still do a snapshot by pressing the prt scrn key on your keyboard then pasting it into an image editor.
You can't disable it. There are ways to encrypt it, but way more trouble than it's worth.
It's impossible to hide the source, HTML and Javascript are interpreted languages, that mean the browser will "compile" the code on the clients machine.

What's the difference between F5 and Ctrl-F5 in Firefox related to JavaScript events?

When you try this public page: http://slim.nl/shop/default.aspx (update: meanwhile this site has changed such that this question's behavior cannot be tested anymore there), you'll notice a menubar. If you hit F5, the menu in that bar disappears. Same when you come to that page via the Back-button in your browser. It only happens on Firefox (seen on versions 3-7). Using Ctrl-F5, the menubar reappears.
To the best of my knowledge, all JavaScript events that fire when loading a page, including any AJAX cycles, should also fire when refreshing a page with F5 or coming there via the Back-button. What's happening here?
I'd like to know from a programmer's standpoint what the difference is between F5 and Ctrl-F5, preferably more general than just this case. Unless it's a bug in Firefox, of course.
Ctrl+F5 clears the cached files in browsers where as F5 just refreshes the page but it uses cached files. Eg say you load a page make changes to a css file and upload it press refresh or F5. Page just refreshes and doesn't fetch the new revised css file hit ctrl+F5 it goes it clears the cache for the page and fetches the file again from the server. This would then load the new css file which would display the changes.
Firefox caches not only loaded files but changes made to page( user input and even changes to attributes made by JavaScript). Check this. So if your menu depends on some attributes you can just hard-refresh by clicking CTRL+F5.
ctrl+F5 will just force the cache to be ignored. Perhaps you have a subtle asynchronous-programming bug that is only surfaces when you have a faster page load (due to using the cache).
That issue was fixed by rolling-back \js\dnn.controls.dnnmenu.js file to previous version. Not sure what was wrong there(didn't have time to debug), but anyway now it works:)

How can I stop google.com from pulling my cursor away from the URL with Greasemonkey (or Adblock)?

How can I stop google.com from pulling my cursor away from the URL and focusing it on the search box with Greasemonkey?
I use google as my home page and hit the home button to open a new tab, maybe not the best way to do it, but it is habit. I will start typing in a URL and when the page is done loading the Google search field pulls my cursor away when I'm half done typing.
I know a decent amount of javascript but I don't even know where to start when viewing Googles page source. If someone could write a script for this I would love you forever, and I'm sure many others would too!
EDIT:
Possibly the better question is how to do this with Adblock Plus?
EDIT#2:
Is it possible to run javascript before a specific page loads with a firefox plugin? Or, is it possible to block javascript on a page before it loads?
I am not looking for any "work arounds" I am looking for a fix. A fix to remove or disable "document.f.q.focus()".
Edit#3: What about a bookmarklet? Could it be possible with that?
See http://noscript.net/
It's a firefox plugin that disables javascript on sites. You could configure it to just run on google.com, I think (if you do not want it to interfere with other sites).
Noscript is more secure, but it can be a pain because it uses a whitelist approach.
Or you can use YesScript, which operates a blacklist instead.
Re: "I just want to blacklist a specific line of code on 1 site"...
There is no addon to do that. You can block all scripts from a site using NoScript or YesScript. Or you can block a specific JS file using Adblock.
You cannot selectively block bits of JS that are embedded in the main page, except in rare occasions GM can sometimes work around it.
This sounds like trying to use an anvil to smash an ant. Or some other, better, complex-tool-for-simple-job analogy. I would suggest either setting your home page to a blank page, or opening new tabs with a new tab button or Ctrl+T.
I do not believe it is possible, just looking around a bit. The focus actually comes from the onload attribute of the body element:
onload="document.f.q.focus();if(document.images)new Image().src='/images/srpr/nav_logo27.png'"
As you can see, document.f.q.focus() is your issue. However, I can't get a GM script to run before that onload is executed. I'm not too experienced with that particular issue, though: any GM scripts I've written are novelties whose load order doesn't matter a great deal, so long as it's done after the page is loaded.
If you know how to make GM scripts run before an onload (on a very light webpage), then it's as simple as saying unsafeWindow.document.body.onload = null.
You cannot do this with Greasemonkey, because GM cannot manipulate chrome elements enough to set focus to the address bar.
You cannot do this with Adblock for the same reason, and because Adblock just stops external elements from loading.
None of the FF scripting add-ons could do this either, as far as I can tell.
You could write an extension/add-on to reset focus, but the real problem here is that the user is ignoring the tools in place for the job.
As Scott Cranfill said, use Ctrl T to open a new tab.
If a button is absolutely desired, Firefox already provides one. Do this:
In the Firefox menu, select View --> Toolbars --> Customize... .
Find the "New Tab" icon and drag it to your toolbar.
Click that icon, from now on, when you want a new blank tab.
Done!

mini javascript browser

I was wondering if there was anyway I could make another browser within my webpage. Basically I want this browser to be an interactive area on my webpage (about half the page).
The main page should be able to detect where every click was made within the mini browser.
Is there some apis that would help me out? Or would my best bet be to stream a remote desktop?
Programming your own browser engine in Javascript will take you years, and it will inevitably be slow, cumbersome, and prone to errors. Furthermore, your Javascript cannot really have direct access to other website's HTML code, it will have to go through your own server anyway.
You can use an
<iframe>
tag. To detect clicks and mouseovers, you could transform the HTML on your server first, potentially adding "onclick" events. This would let you have XSS access too, and cookie control.
You can embed another page within yours using an <iframe>. Once you do, however, you can't control much of what happens within it, or detect where clicks are made, unless the page within the iframe is from the same domain, for security reasons.
You could try the <iframe> tag.
No, it really can't work that way. My suggestion would be to embed an iframe and then control it using JavaScript. However, you won't be able to control it very well (like, for example, limiting where the user can browse with it).

How to prevent execution of javascript from a browser's address bar?

If I go to this page and then delete the url from my browser's address bar, and then enter
javascript:document.getElementById('rsidebar').value='dsf';
The whole part refreshes. How can I prevent a page from refreshing when executing javascript from the address bar?
Also, are there any other techniques to manipulate a page without having access to the page source like the above method?
No, you cannot stop the user from manipulating the DOM.
You don't need to worry about people manipulating the DOM from the client-side. These changes only effect their local experience. They aren't actually affecting your site for other users.
You can easily manipulate the DOM using tools like Firebug, IEDeveloperToolbar, or Greasemonkey (Javascript engine).
When you do javascript:stuff(); and stuff() produces a return value, the whole page is replaced by it. You can prevent that by using javascript:void(stuff()); or javascript:stuff();void(0);
Already answered by others :)
For Q1: I think this isn't possible because the browser runs every website in its own 'sandbox'
For Q2: I believe Firebug will let you execute javascript on any webpage...
Question 1: As the earlier responders said, nothing you can do I don't think.
Question 2: Check out bookmarklets, some very cool things can be done by running your own JavaScript against pages from various sites. People have written bookmarklets to highlight things on the page, put warning indicators next to links that will open in a new window, or go to aPDF, etc.

Categories

Resources