Prevent script execution with MutationObserver in Firefox?

General discussion about web technology.
Post Reply
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Prevent script execution with MutationObserver in Firefox?

Post by barbaz »

(Spinning off from viewtopic.php?p=103934#p103934 to keep that thread on topic -)
Giorgio Maone wrote: Mon May 03, 2021 2:22 pm MutationObserver callbacks are called after the DOM is modified (but before most side effects of that modification, like repaints or script parsing and execution, happen).
How do you get MutationObserver to prevent script execution in Firefox? This example doesn't for me -

Code: Select all

data:text/html,<meta charset="utf-8"><script>let m=new MutationObserver((ra)=>{for(let r of ra){for(let n of r.addedNodes){if(n.tagName=='SCRIPT')n.remove();}}});m.observe(document.documentElement,{childList:true,subtree:true});window.addEventListener('DOMContentLoaded',(ev)=>{let s=document.createElement('script');s.textContent='alert(1)';document.body.appendChild(s);},false);</script>
(IIRC from other examples, in Chromium this would work, i.e. the alert would not show.)
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Prevent script execution with MutationObserver in Firefox?

Post by Giorgio Maone »

It doesn't work for inline scripts, it should work for loaded scripts.
For the former you can use onbeforescriptexecute though (Firefox only).
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Prevent script execution with MutationObserver in Firefox?

Post by barbaz »

Thanks Giorgio for the response!
Giorgio Maone wrote: Mon May 03, 2021 7:55 pm it should work for loaded scripts.
It doesn't for me, putting this page on my local server -

Code: Select all

<meta charset="utf-8">
<script>
let m=new MutationObserver((ra) => {
  for (let r of ra) {
    for (let n of r.addedNodes) {
      if (n.tagName == 'SCRIPT') n.remove();
    }
  }
});
m.observe(document.documentElement,{childList:true,subtree:true});

window.addEventListener('DOMContentLoaded',(ev) => {
  let s=document.createElement('script');
  s.src='some.js';
  document.body.appendChild(s);
},false);</script>
some.js

Code: Select all

alert('It Did Load And Run!!!!!!!!!!!!!!!!');
Giorgio Maone wrote: Mon May 03, 2021 7:55 pm For the former you can use onbeforescriptexecute though (Firefox only).
That's what I'm currently using for the project where I need this. But I'm uneasy about that because beforescriptexecute is slated for removal Image
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Prevent script execution with MutationObserver in Firefox?

Post by Giorgio Maone »

Yes, mutation observers for that purpose seem to work on Chrome only. Using beforescriptexecute as a fallback seems the only option (other than inserting a <meta> CSP) on Firefox.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Post Reply