跨站脚本

Question

I have a javascript that sits on my server. I want to provide my visitors with javascript code that they can place on their servers in the way that Google Analytics does it. For example:

<script type="text/javascript" src="http://www.somedomain.com/script/script.js?id=2001102"></script>

I got everything working up to the point where I need to grab the id. I'm just not sure what to use for that.

I tried both location.href and location.search, but that gives me url + param of the file where the script is embeded, not "script.js?id=XSOMEIDX"

In script.js I have the following:

function requestContent() {   
var script = document.createElement("script");
script.src = "http://www.somedomain.com/script/xss_script.php?id="I WANT TO INPUT ID HERE+"&url="+location.href;
document.getElementsByTagName("head")[0].appendChild(script);

}

Any how I can take id=XSOMEIDX and put it in xss_script.php?id= ?

Thanks in advance!

Answer 1

You can use URL rewritting to take id=XSOMEIDX and put it in xss_script.php?id=

A mod rewrite rule doing it would look like this :

RewriteRule ^/scripts/([a-zA-Z0-0]+)/script.js$ /scripts/script.php?id=$1

This way you could simply ask the people to include yoursite.com/scripts/{id}/scripts.js

Answer 2

how about setting up the external script tag with a certain attribute?

<script data-my-script="my_value" type="text/javascript" src="http://www.somedomain.com/script/script.js?id=2001102"></script>

in modern browsers you can then do

var scripts = document.querySelectorAll("script[src][data-my-script]");
$.each(scripts, function(i, script) { console.log(script.src); });

and iterate over the nodeList...

NOTE: querySelectorAll is not working cross-browser NOTE: querySelectorAll is returning an array-like object