In association with heise online

23 June 2011, 12:15

Chrome extension shows up bad JavaScript

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Google logo Google has introduced an experimental extension, DOM Snitch, for its Chrome browser. DOM Snitch is designed to assist developers improve their JavaScript code by monitoring the functions that work with the internal representation of web pages, the Document Object Model; it monitors how the DOM is manipulated at runtime and then alerts developers to bad practices.

For example, Google considers that the use of methods such as document.cookie, document.write, onmouseover and window.eval are, from the security perspective, "bad practices" rather than "best practices". It points out that attackers can exploit these methods to attack the browser. The DOM Snitch extension detects such calls in the source code and then displays them in a list marking the severity of the problem with traffic light style indicators.

DOM Snitch has three modes; standby, passive and invasive. It uses a number of techniques to detect the calls – method overloading, prototype hijacking and redefining getters and setters – to note the changes; in invasive mode, it will halt execution to allow testers to change the data before continuing. Google does not, however, make any suggestions on how to remove the risky functions from scripts.

DOM Snitch is available to download from the project's Google Code site and is licensed under the Apache Licence 2.0.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit