Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
Compared to scripts within a page, what extra powers do addons/extensions have? They are essentially scripts, then what makes them so special? Beside being static, have buttons on the toolbar, and be able to see the locations of other tabs, what extra functionalities do they provide over scripts on a page?
Scripts on a website are generally sandboxed and are limited in what they can do (for security). In contrast, extensions can live outside of the sandbox and interact more with the browser and system. For example, some extensions can manipulate browser history, browser preferences, intercept and modify pages, access your clipboard, or even execute arbitrary code on the system. Taking a look at the Chrome extensions permissions warnings can give you a pretty good idea of what Chrome extensions can do (and which most scripts can't). Also check out the chrome.* APIs which extensions have access to.
It depends on the browser.
For example, in Firefox an extension can open a file on your filesystem, write arbitrary bytes to it, then run the file as an executable. Or put another way, it can do anything Firefox itself (or more generally, any program run by the user running Firefox) can do.
An extension is always around and theoretically works on every site (or on no site at all), while a script within a page only exists within that page. So unless you're talking about a VERY specific function/script only for a specific site, addons are more "available".
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
I want to detect using vanilla javascript if the end-user has any webextensions enabled at all. Is there a way to query for a list of browser enabled webextensions? Hopefully there is another way besides checking for injected scripts, css and image tags that the page was never intended to load.
This question was shut down for not entering enough security reasons. I can understand why that's a concern but it is not a reason to burn a technical question. Regardless, here are security reasons to want to eliminate web-extensions from a website:
web-extensions allow people to break CSP
https://chrome.google.com/webstore/detail/disable-content-security/ieelmcmcagommplceebfedjlakkhpden
scrape your business data, install key loggers to harvest passwords and other information, install image tracking beacons to track private and sensitive end-user information - all unbeknownst to your average end-user.
In addition, deliberate or self-made web-extensions can automate scraping your business data, attempt to spoof captcha logins and other malicious purposes.
some way is
you can check number of script tag that document has (also css)
then if there were more than your resource
user use extension
... some extension does not add script or css
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
When typing some url, e.g www.google.com (or www.news.com or any other), some client-side code gets downloaded to my local machine, so that the browser can display and run whatever is in there.
I would like to look at that code and maybe slightly modify it.
My google searches failed, probably because I am unfamiliar with the correct terminology for what I am searching. I wasn't even sure about which tags to put on this question.
Where are websites client-side files stored locally? Specifically on chrome, windows 10
If you want to view and edit at the source of the page you're currently looking at, and have your changes reflected in the page immediately, use the browser developer tools (this will be much better than "View source", as it will interpret any clientside DOM generation, give you a collapsible, edited, nested-list view of the DOM, etc).
If you want to make changes that would persist, i.e. every time you view a particular website your changes will be applied to it automatically, then you're looking at building yourself a browser extension, either for your specific browser or cross-browser.
Browsers don't, as far as I know, store the source of a page during render on disk in any way that can be viewed or usefully modified.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I know I could utilize client-side storage, cookies, WebSQL to make an app independent of the internet if the tablet/phone went offline for a bit. But at the end of the day if the user refreshes the browser, the site will try to load the HTML/CSS/JS and it's going to fail to load. I haven't been keeping up on HTML5 enhancements in the last year so I'm wondering if something like this exists. For instance specifically telling the browser to cache the static assets and use them again upon reload unless newer versions exist.
NOTE: I'm only interested in how to allow the page to go through a reload with the site offline if such thing exists.
I believe that #NickZuber has answer my question with his link. The thing I was looking for is
Application Cache
Works on most (90%+) modern browsers Best suited for storing
application code
The only option to reliably load a website from nothing offline
Can storage a significant amount of data (50mb+)
Very difficult use without causing unintended consequences for most
websites
Here is a working example of it in action. You can essentially turn off your internet, hit refresh on the browser, close the browser and re-open it. Whatever you want and the app loads up just fine complete with Images, CSS Styles, and Javascript.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I'm working on a website which is used on Chrome and IE8. I made it with Javascript and it works fine on Chrome but it is slow on IE.
Is VBScript faster than Javascript on IE? Would I translate my code in VBScript for IE?
VBScript is executed for web sites on IIS(web servers), JavaScript mostly on client side.
I do not see how it would not work on any browsers unless you uploading something to client machines as vbs file. That is dangerous and could be considered as security threat - antivirus program may simply block it or delete file all together.
Basically question is not about if VBScript supported or not by any browsers simply because browsers never-ever touching VBScript, but what you attempt to do with VBScript. And anyone who is saying that it does not supported by any browser need to take a lessons from W3S school all over again.
It is different purpose scripting languages on the web: VBScript for servers side processing while JavaScript mostly to be used running on client side. And before anyone starts discussing that JavaScript can be used on server side please look what I put in bold letters. There are javascript libraries AJAX and JQUERY etc. which can be used to process data as well as connecting to web servers.
If you are looking for replacement of VBScript - C# is the best place to start since you already working on Microsoft platform, NET would be logical choice. There is lot of other languages to choose from but you need carefully consider what your project is all about, budget and time needed to rebuild your project/site.
However you can write VBScript and JavaScript batch files for local execution but as I understand that is not part of your question.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
I've a developer which has given users the ability to download a zip archive which contains an html document which references a relative javascript file and flash document. The flash document accepts as one of it's parameters a url which is embedded in the html document. I believe that this archive is meant to be used as a means to transfer an advertisement to someone who would use the source to display the ad on their site, however the end user appears to want to view it locally.
When one opens the html document the flash document is presented and when the user clicks on the flash document it redirects to this embedded url. However, if one extracts the archive on the desktop and opens the html document in a browser and clicks the flash object, nothing observable happens, they will not be redirected to the external url.
I believe this is a security risk because one is transferring from the local computer zone to an external zone.
I'm trying to determine the best way to explain this security risk in the simplest of terms to a very end user. They simply believe it's "broken" when it's not broken, they're being protected from a known vulnerability.
The developer attempted to explain how to copy the files to a local iis instance, which I highly doubt is running on the users machine, and I do not consider this to be a viable explanation.
I don't think this is an issue. Being able to go in the opposite direction, that is execute script originating from a Remote zone to the local zone is called "Cross Zone Scripting". In fact the most recent 0-day against IE uses cross zone scripting to get remote code execution.
If you look at the restrictions for Adobe Air you can see that its less restrictive that the Same Origin Policy when it comes to accessing remote resources. I can not think of a scenario in which this would be valuable to an attacker. Especially when comparing to other locally run code, such as a executable written in C++.
Would this be useful? It seems to imply that when it blocks local content, the user gets a notification as such, but it sounds like it's just failing silently.