Improving the Bookmarklet Experience

2018-06-17 13:46:40

So I have a site specific bookmarklet that create a page with a toolbar (using localstorage to set/get variables) and then creates an iframe for a destination site, say www.example.com . [Idea heavily borrowed from the wonderful RWD Bookmarklet (http://responsive.victorcoulon.fr/) ]. It works great, but I wanted to provide that a clickable link to that bookmarklet (because it is a pain to add a bookmarklet in an Ipad) but unfortunately that results in the obvious XSS cross-site problems since the link does not reside within www.example.com .

To improve this experience I was wondering if it would be possible to do have a popup (like twitter's) which would exploit an existing generic loadScript function currently present on www.example.com . From within the javascript console on www.example.com I currently can invoke a supervar.loadScript("http://dl.dropboxusercontent.com/s/blah/thefile.js") and it works. Which means I do not need to append or cross load the js into the iframe but I would need the iframe itself to invoke the supervar.loadScript call.

It is possible to invoke the supervar.loadScript on say a window.onload/document.ready type scenario or would the context of the popup code be pointing to about:blank/notexample.com in which case the supervar would not exist. Could window.postMessage be of any use?

UPDATE: Clarification

I am trying to have a button which would contain javascript code that in turn would open a new window/tab to a site but would be able to invoke a command on a variable that will be present when the DOM is ready. Again, I'm quite new to XSS so I'm not sure if this is a security problem on the site. I'm not trying to access variables from one site to the next, just a means to load a userscript on a site without having to use a bookmarklet.

For a real test:

Visit: firsttaste.kraftcanada.com . Open the javascript console and then enter: nitroWidget.loadScript("https://dl.dropboxusercontent.com/s/fcfbpfdmzrxywh9/mwolfe_alert.js") This will execute the mwolfe_alert.js which merely contains an alert message.

Is there a way that I could create a clickable link on a site outside of *.kraftcanada.com which would create a popup/new tab that upon the {document,window,$}.onload/read would invoke the nitroWidget.loadScript?

链接地址: http://www.djcxy.com/p/49660.html

上一篇: Ajax内容和移动设备上的CSS悬停效果

下一篇: 改进书签体验