3

I have a site I'm loading via iframe and it's on the same server. I need to remove a certain script tag before the page inside the iframe is loaded. In order words, intercept and remove the script before it's executed.

I tried 

var x = doc.getElementsByTagName('script');
doc.getElementsByTagName('head').removeChild(x);

But this doesn't seem to be able to catch the script before it executes. What other methods or options exist to achieve this objective?

Thanks

user2028856
  • 3,063
  • 8
  • 44
  • 71
  • can you wrap the script in a function and just execute the function – Shanimal Feb 14 '13 at 16:20
  • @Shanimal which script do you mean, my script to catch the target script or the target script itself? – user2028856 Feb 14 '13 at 16:26
  • @Chris.Ackley basically I need to remove this script from the site before it's fully loaded in iframe `if (self !== top) { top.location = parseURL(self.location);` – user2028856 Feb 14 '13 at 16:37
  • the script inside the target script would have to wrapped in a function then execute the function. If you just want to get the text of the script without running it you could use text/plain as the type – Shanimal Feb 14 '13 at 16:50
  • umm I think you misunderstood the question, sorry let me rephrase. I don't want the target script to execute. Since the target script is a frame killer script, I want to prevent it from running. Since the script is in the head and preventing it from running simply prevents the rest of the page from loading, I need to catch it before it executes and remove it so the rest of the page can load in the iframe. – user2028856 Feb 14 '13 at 16:53

2 Answers2

1

I don't think you can stop it from loading in the setup you've described.

However, you can point your iframe to your own server-side script (eg perl, php) which retrieves the URL and strips the script, then return everything else.

vol7ron
  • 40,809
  • 21
  • 119
  • 172
  • You're gonna have to rewrite paths to assets as well, not to mention that depending on the website it might break anyway because it expects another url. Not to mention the fact that it's kind of a dick move, there's probably a reason for the person to use a framebuster script. – Marco Feb 14 '13 at 17:05
  • All good points @Marco, there may be a away around the path thing, which I wouldn't describe here. I think whether this should be encouraged or not all depends on what is meant by "same server". If it's a public server hosting someone else's site, then yes, there's probably a reason they're trying to protect their assets/resources. – vol7ron Feb 15 '13 at 03:24
0
<script type="text/plain">
    alert('foo')
</script>
Shanimal
  • 11,517
  • 7
  • 63
  • 76