Immutable CDN trick

General
1

If we want to use content such as images, scripts, jquery and all sorts of css, dependancies etc, that we directly fetch from Safe in our web apps, right now we cannot rely on safe:// links, because these are mutable and could be altered silently ( that is, if we don’t own them )

So until the Safe browser implements a better way, I thought of the following trick :

  • fetch the data from an immutable, convert it to a string, and stuff it into the document, for instance with :

document.getElementById("hereWePutAnImage").src = theImmutableImageB64

It also works for executable scripts, using :

myFunction = new Function( ImmutableScript );

I put a proof of concept here :

https://github.com/wrnice/immutable-cdn

7 Likes
2

Is it possible to include a script, that’s the big Question for me?

The StackExchange link you posted (elsewhere) suggested that was possible by appending to the body tag, but I’d like to see it proven because it seems like a security hole if that’s true, and so might have been closed.

Mean time, if it works, it might provide a way to get around account PUT limits for large websites.

1 Like
3

sure, look lines 72 -95

( well not ‘include’ in the strict term, but execute, yes )

4

I do mean include rather than call a function. For example, to provide a way to include a bundle like jquery.js

1 Like
5

I suppose we could inject strings in <script> tags, but we would have to wait for it to be loaded before the browser parses it.

6

I just updated the demo, now it does include code that you can reuse in your code - if that makes sense.

So, I think it does an include. You need to stay within the ‘async’ part, though

7

ok, I updated again, now the code does include jquery from an immutable, and you can succesfully use it.

2 Likes
8

Excellent. Although I can’t quite convince myself this proves the point, I don’t see any issues with it. Cool :slight_smile:

1 Like
9

What I can’t figure out now, is how to manipulate XOR adresses in my editor %?§#!!

EDIT :
here is jquery-3.2.1.min.js :
[166, 79, 43, 95, 130, 162, 89, 193, 120, 152, 3, 247, 175, 157, 230, 143, 136, 226, 108, 141, 255, 218, 115, 156, 178, 83, 242, 2, 194, 104, 162, 200]

2 Likes
10

Great stuff! It would be good to just be able to resolve immutable data directly, but this looks like a good work around.

2 Likes