0

This code works:

(function() {
        var scr = document.createElement('script');
        var head = document.getElementsByTagName('head')[0];
        window.insert = function(data) {
                alert(data);
        };
        scr.src = 'http://nocore.info/test.php?callback=insert';
        scr.type = 'text/javascript';
        head.appendChild(scr);
})();

It's tested using jsFiddle. What it does is it gets a string via JSONp and alerts it.

And so does this code:

(function(){var a=document.createElement("script"),b=document.getElementsByTagName("head")[0];window.insert=function(a){alert(a)};a.src="http://nocore.info/test.php?callback=insert";a.type="text/javascript";b.appendChild(a)})();

But when I type javascript: in the URL bar followed by this code, I get nothing. Why exactly is this? I'm not aware of any such behavior. I can set window.* variables in the URL bar and I can manipulate DOM.

So what's the problem here guys?

Thanks guys. Appreciate your help.

Improve this question
1
  • It's working. I got an alert says "This is a test" and an script tag in <head/> Commented Oct 30, 2013 at 7:52

2 Answers 2

Reset to default
1

It just doesn't work when you're on Google. I've tried it on a different page and it works.

It works on Google too. You can found a <script> tag in <head/>. However, there is no alert window popping up. That's because:

Can someone please explain why this is?

Google is using https, and if your website delivers HTTPS pages, all active mixed content delivered via HTTP on this pages will be blocked by default. in Chrome and Firefox (haven't tested other browsers.)

That means, if your site runs on Secure SSL, the browse will block some insecure content from external http sources. In your case, that's http://nocore.info/test.php?callback=insert. Open you console panel, you will see an error/warnning like this: 

[blocked] The page at https://www.google.com/ ran insecure content from http://nocore.info/test.php?callback=insert.

How to fix:

  1. Use another host that supports Secure SSL. https://yournewhost/test.php?callback=insert will work. If we are talking about some common javascript library, use a CDN such as Google, Microsoft that support https.
  2. Take Chrome for example, disable insecure content check by using a command line parameter for Chrome called "-allow-running-insecure-content". [NOT RECOMMEND]

About mixed content and how to view it - Knowledge Base

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

OK, apparently @Wayne is right. It just doesn't work when you're on Google. I've tried it on a different page and it works. Can someone please explain why this is? How is their JavaScript able to 'disarm' this code?

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.