Back to Top

Thursday, November 20, 2008

Google Reader, Javascript and Flash

I had the idea some time ago to highlight the source code I post via Javascript. I gravitated towards this solution because I don't have source level control of Blogger (or do I? ;-)). My thought process was the following: include one .js in each post, which will check if the customization was already done and perform the customization if necessary. However very rapidly I discovered that Google Reader (and I assume that other web-based readers as well) strip JS (probably for security reasons).

While pondering different possible solutions, I thought of two things:

  • First: why doesn't Google Reader just put HTML extracted from clients in an IFRAME from a custom / randomly generated subdomain (ie. qwefwer.googlereader.com)? The IFRAME could have no border and the appropriate width-height (and the correct overflow style), making it indistinguishable from a plain page. The idea being that the same origin policy would prevent malicious JS fiddling with elements it shouldn't. However this was probably harder and possibly less secure than going with the whitelisting.
  • Second: I observed that Google Reader allows Flash to be embedded in the blog posts. Or at least I thought it did. So I've said: aha! I can embed flash, flash can execute Javascript, so I can execute Javascript!

Unfortunately (fortunately?) this is not the case. They seem to employ a whitelisting solution, removing any embed/object tags which specify a source that is not on the whitelist. As far as I can tell the whitelist is not public, but it includes at least some online video services. BTW, if you wish to the Google Reader traffic in Fiddler, don't forget that responses are GZIP compressed, which Fiddler doesn't decompress automatically :(

Where does this leave us?

No javascript for you! Unless you find some kind of security hole in one of the whitelisted Flash movies. If you do however, you can take over the whole session, because your JS will run in the context of the Google Reader.

I don't know what kind of filtering is applied to other objects (Java Applets, Silverlight, etc), but from what I've seen I assume that they would be filtered out.

It would be very nice if they would adopt the IFRAME approach, because that would mean both more security and the possibility for them to enable full JS / object support.

0 comments:

Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.