0

Is there a way to identify client-side code, within an entire code base, that initiating a cross-domain operation? E.g., identify proprietary code that uses an NPM package that crosses the domain by issuing calls to a different domain.

Finding the 3rd party code that crosses the domain will suffice, since putting a breakpoint inside it will allow tracing back to proprietary code calling the relevant 3rd party code.

I can see the addresses reached outside the domain by using the Chrome developer tools' network tab, and via Fiddler, but the only data about the initiator code is the page URL, which in the case of SPA - doesn't reveal any useful info.

Thanks, Liroy

Liroy Alima
  • 21
  • 6
  • Chome Developer Tools provide a way to breakpoint at XHR/Fetch requests by URL sub-string: [link](https://developers.google.com/web/tools/chrome-devtools/javascript/breakpoints#xhr). But, this doesn't cover all cases where loading a website cause triggers network calls to foreign domain. E.g.: if a certain html page contains a script tag, above Chrome Dev Tools feature will not catch it. – Liroy Alima Aug 24 '20 at 08:48

1 Answers1

1

Documenting my findings for future readers' usage:

  1. Chrome DevTools provides a way to add XHR/Fetch breakpoints. This type of breakpoint match XHR/Fetch requests by URL sub-string: link. Please note this doesn't cover all cases where loading a website triggers network calls to foreign domain. E.g.: if a certain html page contains a script tag, above Chrome Developer Tools feature will not catch it.

  2. Chrome DevTools shows in Network tab a column named "Initiator" which allows navigation to the initiating piece of code. E.g.: script tab added to HTML document.

Liroy Alima
  • 21
  • 6