Running JavaScript in Chrome Despite View-Source

Friday, July 10, 2009
Original Source:
http://ha.ckers.org/blog/20090710/running-javascript-in-chrome-despite-view-source/

Yeah, I know, I’m very late to the rush of installing the way over-hyped and extremely poorly named, Chrome browser. For those who aren’t in the know, it’s sort like naming a car “Engine”. Ignorant person says, “I’ve got an Engine.” Smart person says, “I know, I have an Engine too. Everyone who has a car does.” Ignorant person says, “Really? I thought they just came out.” Smart person says, “Wait, are you talking about the car, Engine.” Ignorant person says, “Yes, of course I am.” So people who actually know what chrome is have to deal with ignorant people that think we’re talking about Google’s attempt at installing more crap on people’s desktop and confusingly misinterpret when guys like us are talking about chrome verses Chrome. Gah!

Anyway, despite that idiocy which I am sure will haunt me for many many years to come, I was going through looking at some old functionality that I haven’t toyed with in a while and I noticed something odd almost immediately. Google Chrome appears to allow JavaScript to fire despite the fact that you are viewing source through the view-source: directive. Click here for an example (only works in Chrome with JavaScript enabled). This doesn’t work in IE, Firefox, Safari, or Opera - yup, it’s a Chrome only problem. Why is this a problem? Because some security people use view-source: to neuter the danger of pages that they think are potentially malicious - so that they can safely view the page without any JavaScript firing - alas, so much for that idea - at least in Chrome.

<!--Sat, 11 July 2009 13:07:43 +000-->
Possibly Related Articles:
10755
Webappsec->General
Google HTTP Security
Post Rating I Like this!