I grabbed the input of the <script> element in the document a bit and could not load the code. Disclaimer: I'm not an expert on this, I just wanted to share what I tried.
At first I played a little with MutationObserver , watching the DOM for creating the <script> element and deleting it, I came up with the following snippet added at the very beginning of my HTML page, presumably to load it first:
// Create the observer, registering our intercepting callback var obs = new MutationObserver(function (mutations, obs) { // Loop over reported mutations mutations.forEach(function (mutation) { // childList means nodes have been added. That the only thing // we're interested in if (mutation.type !== 'childList') return; // Check the added nodes for (var i=0; i < mutation.addedNodes.length; i++) { var node = mutation.addedNodes[i]; // Ignore all but SCRIPT elements if (node.nodeName !== 'SCRIPT') return; // Remove it node.parentNode.removeChild(node); console.log(node.nodeName); } }); }); // Start observer obs.observe(document, {subtree: true, childList: true});
Obviously, this was doomed to failure. If I need to ask the parent to remove the node, it means that it has already been added to the DOM and loaded (at least loaded) when I came to prevent it.
I tried to get there earlier by overriding document.createElement and returning <div> instead of <script> s:
document.createElementOriginal = document.createElement; document.createElement = function (tagName) { if (tagName.toLowerCase() == 'script') { console.log('Script interception'); tagName = 'div'; } return document.createElementOriginal(tagName); };
But no luck. Looking at the console, no interception was reported. It's too late.
I can only conclude that these extensions are entered before any script is executed on my page, or that the element is injected regardless of the area that I could access in my code.
If you have any suggestions on how I can explore further, feel free to point me in that direction.
svvac
source share