JS file runs in the editor during loading

When loading up a project in the editor, built-in Javascript functions such as alert, prompt, and confirm will run. This will only happen if the .js file containing the script is included by the index.html file.

It appears that the script is called via an embedded project page, because running alert(location.href) will return the project.glitch.me URL instead of the editor one.

This issue could possibly be used to run XSS on the editor, so it should probably be fixed.
Thanks, DerDer56

7 Likes

Thank you! We’re going to ship some changes to the iframe that loads your project, which will make sure that the javascript does not run in the background from your project, until you’ve opened the side by side preview.

Fortunately the iframe creates a sandbox which means that the javascript running in the project can only target that project domain (example.glitch.me), so there isn’t a risk of XSS attacks here.

7 Likes

cross reference: Random redirection?

It’s confusing that it happens even when not having that “preview in editor” thing selected. Gonna appreciate those changes :slightly_smiling_face:

We pushed out the changes today, so hopefully no more random and unexpected window.top redirections :wink:

1 Like