1

the question is: what happens in asynchronous loading of webapps if some script delete the previously loaded or included scripts?

Let have several scripts included:

<script src="Squel.js" async="" type="text/javascript"></script>
<script src="PSquel.js" async="" type="text/javascript"></script>
<script src="MySquel.js" async="" type="text/javascript"></script>

No matter, whether it is included by markup or dynamically via requireJS, the same order of asynchronous script includes happen.

Content of MySquel.js file could be this malicious code:

document.getElementsByTagName('script').forEach(function(val,i,arr){
if(/PSquel/.test(val.src)){
val.parentNode.removeChild(val);
}
}

Of course the question is very browser specific though, i'm interested in that is there any quirks around that opens up memory holes in any specific browser. I am also interested about any edge cases you know!

I am very thankful about your response in any of the edge cases you know concerning possibly unsecure script loads! Thanks.

Improve this question
4
  • Of course i am not interested that whether or not the domContent is loaded, and the access to scripts is viable. I am only interested in the theoretical possibility or the chance of unsecureness of this in any kind of browsers you know! Commented Feb 8, 2013 at 22:58
  • Your "malicious" code removes script tags from the DOM only, scripts themselves are still in memory and working like nothing has happened. Commented Feb 8, 2013 at 23:01
  • 1
    If one of the earlier scripts removes a later tags from the DOM, could that prevent the browser from loading the later script? Commented Feb 8, 2013 at 23:03
  • @Barmar An earlier script can't see any of the latter scripts, since they are not parsed yet, hence it can't also remove any latter script tag. And if we trust Bergi's "afaik" (why wouldn't we?), loading of the latter scripts can't be aborted, even if a timeouted function would remove the tags. Commented Feb 9, 2013 at 0:20

2 Answers 2

Reset to default
2

Nothing. The <script> nodes are removed from the DOM, but that cannot revert what happened during the execution of the JavaScript which was loaded through them. Actually, they do serve no purpose after they are instantiated, which triggers script downloading and evaluation.

The only thing that might be affected are other scripts that rely on the DOM nodes to exist, for example to read templating strings, content location urls or other data from them.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

How about a <script> with async? Will the asynchronously loading script fail, if its tag is removed while loading?
Afaik you cannot abort script loading (irrelevant whether with async attribute or just dynamically-inserted). It's a quite big issue of JSONP.
0

The only thing that happens is that the source code in the scripts goes away.

The scripts have already been parsed and executed, which creates Javascript objects (e.g. function objects), and those objects doesn't go away when you remove the source code.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.