Print JavaScript code from external file
Question
I am trying to understand how to include JavaScript externally so the code prints to the page.
When I insert the JavaScript directly into the page code, it prints "hello"
<html>
<head>
<title></title>
</head>
<body>
<script type="text/javascript">document.write("hello");</script>
</body>
</html>
However, when I put that same code into external file say "javascript.js" and include it (src) in the html it does not print "hello"?
<html>
<head>
<title></title>
<script type="text/javascript" src="http://thewebsite.com/javascript.js"></script>
</head>
<body>
</body>
</html>
I am trying to understand how to get that external JavaScript file to run and print "hello". How does XSS work then if a hacker was to include the following tag inside say a textarea to call his malicious script from malicious server?
<script type="text/javascript" src="http://thewebsite.com/javascript.js"></script>
Heres whats in the "javascript.js" file:
<script type="text/javascript">
document.write("hello");
</script>
The file is on the same domain so Same Origin Policy should not apply here and as mentioned if I directly insert code it does work but not when I try to include as separate file.
I thought including JavaScript as external file, should print the contents of the external file (ie "hello" in this case) as if it was directly inserted in html page?
2 answers
solution1
0 2012-03-13 13:54:20
When I insert the JavaScript directly into the page code, it prints "hello"
Correct
However, when I put that same code into external file say "javascript.js" and include it (src) in the html it does not print "hello"?
If the content isn't being written then, presumably, an error is being thrown instead. Check the error console for your browser.
The problem is that you are including the HTML script tags in the JavaScript file. JavaScript files should contain only JavaScript.
The file is on the same domain so Same Origin Policy should not apply here
It doesn't. The Same Origin Policy just prevents JavaScript running (not loaded from) Origin A from reading data from Origin B. Since the data is included in the script itself, it would still be available, even if the script was loaded from Origin B.
solution2
-1 ACCPTED 2012-03-13 13:06:27
I guess there is a policy enforced by browsers called Same Origin Policy which makes sure that JS from different domains does not access each others data when loaded in a single page. Lets say that you have a Google Ad and it has some Javascript in it. It wouldn't be advisable if the script in Google Ads be able to access the data in your site (Vice-Versa but ofcourse you always have Google Ads or the Like button as iFrame and hence anyways they are most neatly seperated.)
If you could load the js file as a src to image file then I suppose you can achieve what you intend to.(If I am not wrong.)
Edit: The javascript file cannot be given as input to the src of img tag. You can only use it as javascript: scheme.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.