Databases
StackOverflow2013
Postsdbo
POImproving the Bookmarklet Experience - Though Hacking?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POImproving the Bookmarklet Experience - Though Hacking?
    text
    copied!<p>So I have a site specific bookmarklet that create a page with a toolbar (using localstorage to set/get variables) and then creates an iframe for a destination site, say <code>www.example.com</code>. [Idea heavily borrowed from the wonderful RWD Bookmarklet (<a href="http://responsive.victorcoulon.fr/" rel="nofollow">http://responsive.victorcoulon.fr/</a>) ]. It works great, but I wanted to provide that a clickable link to that bookmarklet (because it is a pain to add a bookmarklet in an Ipad) but unfortunately that results in the obvious XSS cross-site problems since the link does not reside within <code>www.example.com</code>. </p> <p>To improve this experience I was wondering if it would be possible to do have a popup (like twitter's) which would exploit an existing generic <code>loadScript</code> function currently present on <code>www.example.com</code>. From within the javascript console on <code>www.example.com</code> I currently can invoke a <code>supervar.loadScript("http://dl.dropboxusercontent.com/s/blah/thefile.js")</code> and it works. Which means I do not need to append or cross load the js into the iframe but I would need the iframe itself to invoke the <code>supervar.loadScript</code> call. </p> <p>It is <em>possible</em> to invoke the supervar.loadScript on say a window.onload/document.ready type scenario or would the context of the popup code be pointing to about:blank/notexample.com in which case the <code>supervar</code> would not exist. Could <code>window.postMessage</code> be of any use?</p> <h2>UPDATE: Clarification</h2> <p>I am trying to have a button which would contain javascript code that in turn would open a new window/tab to a site but would be able to invoke a command on a variable that will be present when the DOM is ready. Again, I'm quite new to XSS so I'm not sure if this is a security problem on the site. I'm not trying to access variables from one site to the next, just a means to load a userscript on a site without having to use a bookmarklet.</p> <p>For a real test:</p> <p>Visit: <code>firsttaste.kraftcanada.com</code>. Open the javascript console and then enter: <code>nitroWidget.loadScript("https://dl.dropboxusercontent.com/s/fcfbpfdmzrxywh9/mwolfe_alert.js")</code> This will execute the mwolfe_alert.js which merely contains an alert message.</p> <p>Is there a way that I could create a clickable link on a site outside of *.kraftcanada.com which would create a popup/new tab that upon the {document,window,$}.onload/read would invoke the nitroWidget.loadScript?</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload