Welcome to WebmasterWorld Guest from 3.233.226.151

Forum Moderators: open

Message Too Old, No Replies

appendChild SCRIPT elements

Firefox says no more

     
10:47 pm on Feb 19, 2009 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12555
votes: 3


I have been working with event properties quite a bit lately and was finalizing a little helper script that I use for investigating which properties are available cross-browser. In my research work today I came across this note in the Mozilla documentation:

[developer.mozilla.org...]

Note: Starting in Firefox 3.1, you can no longer use this method to append script elements that retrieve their code from anything other than
chrome:
URLs.

I'm assuming this is a security enhancement and am a bit disappointed that I will no longer have this option available. I use it quite often in development to include scripts from other libraries when necessary. In light of the new information I realize I must reform my methods. I'm interested to hear others thoughts on workarounds ...

8:50 pm on Feb 26, 2009 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12555
votes: 3


Unless I am misunderstanding the note on the Mozilla documentation page for appendChild, we will no longer be able to append a <script> element in the following manner:

var script = document.createElement('script');
script.type = 'text/javascript';
script.src = 'test.js';
document.getElementsByTagName('head')[0].appendChild(script);

Which really makes no sense to me as we can always revert to the document.write method of old. I would rather use the DOM methods personally.

One week later and no responses anywhere. I've posted in the mozilla forums and searched the mailing lists but have come up empty. Nobody else curious or concerned about this pending change? It could potentially break quite a few pages, those that rely on attaching scripts using the DOM appendChild method anyway.

9:49 pm on Feb 26, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 14, 2004
posts:1181
votes: 0


I can see restricting the domain which is allowed to provide new JavaScript to the originating one, but a blanket restriction such as this seems Draconian in the extreme.
10:41 pm on Feb 26, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 13, 2002
posts:662
votes: 0


Oh dear...that breaks A LOT of existing code. It's a simple fix, but really, if it's on the same domain shouldn't it be trusted?
10:44 pm on Feb 26, 2009 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12555
votes: 3


seems Draconian in the extreme

Well hello there stranger, great to hear from you. I agree, it is extreme. I have been searching for a mailing list or otherwise where this new "feature" has been discussed and am coming up empty. Do you have any idea where the developers may be discussing this change?

10:51 pm on Feb 26, 2009 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12555
votes: 3


if it's on the same domain shouldn't it be trusted?

That's 3 of us that feel the same way. And I'm not seeing anything in the standard [w3.org] that reads otherwise.

12:36 am on Feb 27, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 14, 2004
posts:1181
votes: 0


You know, this seems an incomplete security solution, anyway. What about insert and replace methods?
1:29 am on Feb 27, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 3, 2005
posts:1585
votes: 0


from anything other than chrome: URLs.

This language is vague, hopefully they just mean a cross domain restriction, that seems to be the only security issue.
6:37 am on Feb 27, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 14, 2004
posts:1181
votes: 0


I believe the chrome: URL restriction, in essence, limits the practice to Firefox extensions.

[edited by: Rambo_Tribble at 6:38 am (utc) on Feb. 27, 2009]

8:02 pm on Feb 27, 2009 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12555
votes: 3


That was my thoughts too.

What about insert and replace methods?

Good point. There is no mention on their respective pages about the limitation. This is extremely vague.

3:21 am on Mar 2, 2009 (gmt 0)

Full Member

10+ Year Member

joined:Sept 5, 2007
posts:264
votes: 0


This seems hard to believe. Seems like a mistake. And a very big deal if it's not.
Has anyone tested this to see if the appendChild fails?
7:31 pm on Mar 2, 2009 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12555
votes: 3


As of right now it appears to be a documentation update in regards to a couple of bug fixes. Neither bug affects
appendChild
behavior in terms of whether the script executes. All that is affected is whether the executing script gets
XPCNativeWrapper
automation and is relevant only to chrome documents. I believe we will see an update to the documentation soon.
6:47 pm on Mar 4, 2009 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12555
votes: 3


Now updated. Whew, glad that's over :)