
Firefox and IE's "View source" can be spoofed to show anything - dave1010uk
http://www.scriptjunkie.us/2011/09/original-source-forgery/
======
HNatWORK
I believe Chrome shows the original source because when you View Source, it
requests the page again. This complicates debugging Ajax requests (and also
Get and Post requests).

Firefox and IE show the "current" source, which is liable to be replaced as
shown by dave1010uk.

Type the following into the Chrome Dev Tools console, then the Firebug
console:

    
    
      testBool = true;
      document.write('');
      typeof testBool;
    

Chrome shows boolean, firefox shows undefined.

~~~
knotty66
I wondered if there is anything different about the second (view source)
request that could be detected and a different response provided - but I don't
think so after a quick look with WireShark.

~~~
sesqu
Well, you could set up a temporary client blacklist based on cookies or IP
addresses.

------
xorglorb
Since the site seems to be down, you can read the article (no images
unfortunately) in Google's Cache[1].

[1]:
[https://webcache.googleusercontent.com/search?q=cache:http:/...](https://webcache.googleusercontent.com/search?q=cache:http://www.scriptjunkie.us/2011/09/original-
source-forgery/&hl=en&strip=1)

~~~
dave1010uk
I've recreated a simple proof of concept here:
<http://taskthere.com/viewsource/>

It works in Firefox 6, not sure about any other browsers. If you want to see
the actual source, disable JavaScript (or use Chrome or curl).

~~~
tspiteri
To see the actual source in Firefox 6, I just viewed the source without
dismissing the alert, there was no need to disable anything. The only thing is
that with the alert, I couldn't right click on the page and click on "View
Page Source", I had to use the menu item Tools: Web Developer: Page Source (or
its keyboard shortcut).

~~~
dave1010uk
I used an alert as a quick example. You could put any HTML or JS on the page
(e.g. links for SEO value, iframes with PDF exploits, a bitcoin miner or a
video of Rick Astley) and when someone views the source it looks like there's
nothing malicious.

Ctrl/Cmd-u can also be used to view source in Firefox.

~~~
fgaaghf
If you want to view the current HTML source in Firefox you can use Ctrl+A and
then right-click > "View Selection Source".

I think it's more a question of what do you expect to see when you "View
Source". For example, I have messed around with document.write a lot and it's
pretty obvious to me that, if I use view source then it's going to give me the
source and any changes done to it my document.write/open/close. In this case
since document.write is used after HTML parsing has been completed it replaces
the whole page and thus makes view source rather pointless.

~~~
dave1010uk
This bug isn't showing the usual generated source but some kind of hybrid
between original source and generated source.

\- To see the original source, hit ctrl-u before dismissing the alert.

\- To see the "hybrid" source, hit ctrl-u after dismissing the alert. I always
expected this to be idential to what the webserver sent, just syntax
highlighted. (Though I haven't messed around with document.close before.)

\- To see the generated source, hit ctrl-a, right click & "View Selection
Source". This is different to the original/hybrid source as Firefox inserts
html tags to make the page valid. My example had no html, head, title or body
tags. This should reflect the current page DOM, as affected by any JavaScript.

------
code_duck
Thankfully, curl can't be tricked in such a manner.

I'd have a more substantial comment, I hope, if the site was loading.

~~~
there
_Thankfully, curl can't be tricked in such a manner._

fetch <http://jcs.org/tmp/nothing.html> through curl:

    
    
          jcs@air:~> curl -s http://jcs.org/tmp/nothing.html 
          there is really nothing here, i can promise you that.          
    

but you just aren't seeing the content.

    
    
         jcs@air:~> curl -s http://jcs.org/tmp/nothing.html | vis
         View source in Firefox. \^H\^H\^H\^H\^H\^H\^H\^H\^H\^H\^H[...]

~~~
code_duck
Clever and true... I didn't say I'd view it in the terminal, though!

    
    
        curl http://jcs.org/tmp/nothing.html | vim -

------
kaitnieks
Older Internet Explorer and Firefox versions displayed the source that was
downloaded, not the one generated/modified by scripts. It makes so much more
sense, especially since there was always an option to view the generated
source (by using JavaScript for an example) but I don't see how you can access
the downloaded source at all if View Source is replaced by View Generated
Source. Hm, actually one could use FireBug and watch Net response I suppose,
but that's inconvenient.

~~~
dave1010uk
This bug isn't showing the original source _or_ the usual generated source but
a hybrid. See my comment here: <http://news.ycombinator.com/item?id=2977123>

The best way to access downloaded source is probably with JavaScript turned
off.

------
jannes
Hmm, I can't reproduce what he claims by only looking at the cached version
without images and source code.

I especially don't understand this part:

    
    
      When you use document.write outside of a script tag embedded inline in
      the page [...]
    

What is "outside of a script tag embedded inline in the page" supposed to
mean?

~~~
dave1010uk
What that means (though is not how I would word it) is a document.write that
is called asynchronously. The post uses an ajax request to do it but I've
recreated it here [1] like this:

    
    
        setTimeout(function() {
          document.write('foo');
          document.close();
        }, 1);
    

[1] <http://taskthere.com/viewsource/>

------
AndyKelley
In my opinion, "View source" should be a text log of everything the server
sent to the client. Why would you ever want anything different?

------
Flam
One of the many reasons why I recommend using NoScript. <http://noscript.net/>

~~~
sjs
Although I don't use NoScript (or NotScripts) anymore the web was far less
annoying without arbitrary JavaScript. I never had to leave a site because
some irrelevant box popped up over the page I was looking at, or about to be.

It will be effective at blocking the Flash-like HTML ads that are going to pop
up soon as well. Unless they get _really_ creative with CSS.

------
Kudos
What's with the out of date Flash popup? Running Chrome beta channel here with
Flash built in.

~~~
robinduckett
What's with the site not even loading?

------
xyzzyz
Opera 11.51 won't even try show the source for me. It's definitely
interesting.

------
51Cards
Tried in Firefox 6... spoof works. Tried in Firefox 3.6... could see full
source, script and all.

~~~
dspillett
IIRC earlier versions of FF re-request the page when you do a view source,
rather than displaying a rendering of the current (potentially changed)
document state. You could still spoof the source view in this case by somehow
recognising the second request (though how you'd distinguish "view source"
from "f5" I don't know) and sending different content back.

------
Kwpolska
Actually, chrome downloads the source again when you choose "view source". You
can see the "modded" source with ctrl/cmd+shift+I.

~~~
abrowne
If you mean the Developer Tools/Inspector, it's cmd+opt+I, at least on Chrome
14.

