0

I'm currently trying to write a script that I will try to use in an extension for Chrome. I understand that unsafeWindow doesn't work in Chrome, so I found a workaround (via this person's github) that mimics the functionality of the object.

Here's the relevant code from the link:

var unsafeWindow = (function() {
    var e1 = document.createElement('p')
    e1.setAttribute('onclick', 'return window;');
    return e1.onclick();
})();

I can then use this function to access a website's custom/unique JavaScript Objects and their prototypes/properties, like so:

var newVar = unsafeWindow.WEBSITE.uniqueObject.prototype.uniquePrototype ... etc.

I was told though that this workaround hack is not good practice and is only ever used when there's no other easy way to access unique objects.

What would be a better or safer way to access a website's unique Objects and their prototypes/properties without using something like unsafeWindow?

tempcode
  • 175
  • 1
  • 2
  • 11

2 Answers2

1

I notice that you did not give a real example, and I'm not going to cover all the hypothetical possibilities; there are a variety of techniques for a variety of real-world websites.

The safe, cross-browser, works almost every time it's tried, method is Script Injection:

function GM_main () {
    var newVar = WEBSITE.uniqueObject.prototype.uniquePrototype;
    /* Or, explicitely...
    var newVar = window.WEBSITE.uniqueObject.prototype.uniquePrototype;
    */

    // DO WHATEVER WITH newVar HERE.
}

addJS_Node (null, null, GM_main);

//-- This is a standard-ish utility function
function addJS_Node (text, s_URL, funcToRun, runOnLoad) {
    var D                                   = document;
    var scriptNode                          = D.createElement ('script');
    if (runOnLoad) {
        scriptNode.addEventListener ("load", runOnLoad, false);
    }
    scriptNode.type                         = "text/javascript";
    if (text)       scriptNode.textContent  = text;
    if (s_URL)      scriptNode.src          = s_URL;
    if (funcToRun)  scriptNode.textContent  = '(' + funcToRun.toString() + ')()';

    var targ = D.getElementsByTagName ('head')[0] || D.body || D.documentElement;
    targ.appendChild (scriptNode);
}

Two variations of this were also linked from your previous question.

However, the most common cases of people wanting to use unsafeWindow seems to be to defeat ad-display timers or to trigger javascript that is normally triggered by a link or button.

In the common button/link scenario, don't break the sandbox with unsafeWindow. Just programmatically click or mousedown the control.

In the case of cheating a website timer, since it is one line (not counting the hack), this is one case where unsafeWindow might be a good fit. EG:

unsafeWindow.payTheBillsTimerCounter = 0;

Beware:

  1. Angry webmasters can theoretically exploit unsafeWindow.
  2. Please don't violate any Terms of Service (TOS).
  3. Please support websites whose resources you use (a lot).
  4. For Chrome userscripts and content-scripts, the unsafeWindow hack will probably be blocked circa Chrome version 28. For straight scripting on Chrome, switch to Tampermonkey. Tampermonkey is likely to keep supporting unsafeWindow, without any hacks needed (on your part).
    Tampermonkey also provides near-perfect Greasemonkey compatibility and a host of features that Chrome userscripts do not.
Community
  • 1
  • 1
Brock Adams
  • 90,639
  • 22
  • 233
  • 295
  • If you are just trying to monitor and modify content added by AJAX, that is a very different problem than the one posed by this question! (And a reason why the FAQ stets that questions should be about specific, real-world problems.) That problem has been addressed in numerous questions and is unrelated to `unsafeWindow` -- which is not needed in that case. – Brock Adams Apr 19 '13 at 00:40
0

You can use Message Passing to send information between the browser page and your extension, and vice versa, securely.

Xotic750
  • 22,914
  • 8
  • 57
  • 79
  • maybe I'm confused, but the info there says that Message Passing is between the script and the rest of the extension - but I'm trying to have variables or functions in my script access the prototypes/properties of the custom/unique javascript objects of a website, as you would do with `unsafeWindow` – tempcode Apr 18 '13 at 22:38
  • You have a content script that sits in that environment. The extension signals the content script to do something. The task is performed and the content script sends back the information to the extension. Unless you are trying to do something odd that you haven't described in your question. – Xotic750 Apr 18 '13 at 22:45
  • it's the "do something" part that's the issue (unless I'm misunderstanding the purpose of `unsafeWindow`) - my script has functions or variables that I want to access a webpage's own script, like "jumping over" the DOM and accessing the custom object properties from that webpage's script (since, as shown on [this Google dev video](http://www.youtube.com/watch?v=laLudeUmXHM), they say that "no javascript objects are shared between isolated worlds" in Chrome). That's where `unsafeWindow` or its mimic function comes in. – tempcode Apr 18 '13 at 23:03
  • Yes, but what are you trying to do that can't be done with messaging? I've had absolutely no problem interacting between the environments in the past, between parent window, iframes and extension: get variables execute functions ... – Xotic750 Apr 18 '13 at 23:15
  • The OP is trying to interact with the browsed-page's javascript (which he doesn't control). Message passing may eventually be required, but it doesn't address the current question. – Brock Adams Apr 19 '13 at 00:14
  • In some of my scripts I do just that, interact with the browsed-pages javascript by injecting a script (a proxy so to speak) and then comunicate to/from the extension via it. So, you can interact securely without unsafeWindow, but not directly from the extension on the pages objects and variables. And it is still not clear to me why he needs such direct and insecure access to these. I have managed Mouse clicks and all. – Xotic750 Apr 19 '13 at 00:28