1

I have this self-executing function:

<script type="text/javascript">
(function() {
var sc      = document.createElement('script'); 
    sc.src   = 'http://blahblah.com/test.js';
    sc.type = 'text/javascript'; 

var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(sc, s);
})();
</script>

All that is contained in test.js is:

document.write('ping!');

However, it hangs -- am I doing something incorrect?

I found a way to go around the document.write but now the only question is why does this not work. 

var nc = document.createElement('div');  
nc.appendChild(document.createTextNode('blah'));  
var scr = document.getElementsByTagName('script')[0];  
scr.parentNode.insertBefore(nc, scr);
  • 2
    Why are you doing this? What are you trying to achieve? – Ben S Jun 23 '10 at 18:56
  • 1
    Does it hang on all browsers? Is there anything else in the script that could potentially cause the browser to hang? I wrote some simple tests similar to your code, and they work fine on Firefox, Safari, and Chrome. – Anurag Jun 23 '10 at 19:37
  • 1
    Here's a version of the working script you can [checkout](http://anurag.heroku.com/tests/remoteDocWrite/index.html). The JavaScript is [test.js](http://anurag.heroku.com/tests/remoteDocWrite/test.js). The page initially starts with the text "World!" which gets replaced by a new document showing "Hello" after the remote script is loaded. – Anurag Jun 23 '10 at 19:43
  • @Anurag, in firefox it never stops loading. –  Jun 23 '10 at 20:21
  • I see the forever loading spinner too, but it's a problem with Firefox. The page does load, and didn't hang in the conventional sense - blue screen of death or ctrl+alt+del kind. – Anurag Jun 24 '10 at 06:25

1 Answers1

2

I have no idea what you're trying to accomplish, but your code is valid as long as it's hosted on http://blahblah.com/.

Your browser won't let you execute remote code to manipulate the original page. It's not that dumb.

Dolph
  • 44,962
  • 13
  • 58
  • 86
  • There's nothing wrong with running remote scripts. The catch is when they try and manipulate the DOM, etc. – Dolph Jun 23 '10 at 19:06
  • 1
    Not quite, including external scripts in this way is perfectly valid, that's how [JSON-P](http://remysharp.com/2007/10/08/what-is-jsonp/) works for example... The real problem is [`document.write`](http://stackoverflow.com/questions/802854/why-is-document-write-considered-a-bad-practice)... – Christian C. Salvadó Jun 23 '10 at 19:06
  • >Your browser won't let you execute remote code to manipulate the original page. It's not that dumb. ummm that's not true. –  Jun 23 '10 at 20:11
  • 1
    Dolph is right, if both scripts are not on the same domain it won't work. Not that way. JSON-P is working because what is fetched is eval'ed by a local script. This to work one has to download http://blahblah.com/test.js in a string then eval that string. – Claude Vedovini Jun 23 '10 at 20:22
  • 1
    @Claude @Dolph - that is not true. The remote script will have equal rights unless it's inside an iframe, and domains mismatch. – Anurag Jun 23 '10 at 21:19
  • I'm not aware of a standard for JavaScript security practices. If that's the case, browsers may implement and enforce their own proprietary security policies differently. – Dolph Jun 23 '10 at 22:10