top | item 2975060

(no title)

HNatWORK | 14 years ago

I believe Chrome shows the original source because when you View Source, it requests the page again. This complicates debugging Ajax requests (and also Get and Post requests).

Firefox and IE show the "current" source, which is liable to be replaced as shown by dave1010uk.

Type the following into the Chrome Dev Tools console, then the Firebug console:

  testBool = true;
  document.write('');
  typeof testBool;

Chrome shows boolean, firefox shows undefined.

discuss

JoachimSchipper|14 years ago

Note that re-downloading the source prevents this attack, but does not mean that the source you are looking at is what the page is actually running - just make the web server leave out the reference to evil.js the second time an IP address requests the page...

cmelbye|14 years ago

I think that's correct about Chrome. If you want to see the "current" source, the Web Inspector is the way to go.

knotty66|14 years ago

I wondered if there is anything different about the second (view source) request that could be detected and a different response provided - but I don't think so after a quick look with WireShark.

sesqu|14 years ago

Well, you could set up a temporary client blacklist based on cookies or IP addresses.

nightpool|14 years ago

The Firefox plugin Web Developer let's you set an option (View source in tab) that makes it work like the Chrome view source.

Tsagadai|14 years ago

If you right click in Chrome for 'inspect element' you also get disappearing source code.