When I'd open www.example.com/some_html.html I'd like a small script in Tampermonkey to detect the .html, open a new tab with view-source appended infront of the string.
In theory, I already have working code
// ==UserScript==
// @name XML
// @version 0.1
// @description Opens files, Yay!
// @include /^.*\.xml$/
// @exclude /^view-source:.*\.xml$/
// ==/UserScript==
(function() {
'use strict';
window.location.replace(`view-source:${window.location.href}`)
})();
Sadly, when I open a sitemap for example it prints out this big error
Uncaught (in promise) TypeError: Location.replace: Access to 'view-source:http://drupal-blog.lndo.site/en/sitemap.xml' from script denied.
tms_8214f41c_65d5_4e50_86b6_a5ea16f2256e$/< moz-extension://9c13b008-02bf-4abc-9c1e-f8db84075d3f/userscripts/XML.user.js?id=8214f41c-65d5-4e50-86b6-a5ea16f2256e:13
tms_8214f41c_65d5_4e50_86b6_a5ea16f2256e$ moz-extension://9c13b008-02bf-4abc-9c1e-f8db84075d3f/userscripts/XML.user.js?id=8214f41c-65d5-4e50-86b6-a5ea16f2256e:14
it http://drupal-blog.lndo.site/en/sitemap.xml:14
window["__p__185308.9699366292"]/</< moz-extension://9c13b008-02bf-4abc-9c1e-f8db84075d3f/userscripts/XML.user.js?id=8214f41c-65d5-4e50-86b6-a5ea16f2256e:1
window["__p__185308.9699366292"]/< moz-extension://9c13b008-02bf-4abc-9c1e-f8db84075d3f/userscripts/XML.user.js?id=8214f41c-65d5-4e50-86b6-a5ea16f2256e:1
"__p__185308.9699366292" moz-extension://9c13b008-02bf-4abc-9c1e-f8db84075d3f/userscripts/XML.user.js?id=8214f41c-65d5-4e50-86b6-a5ea16f2256e:15
it http://drupal-blog.lndo.site/en/sitemap.xml:14
set http://drupal-blog.lndo.site/en/sitemap.xml:3
<anonymous> moz-extension://9c13b008-02bf-4abc-9c1e-f8db84075d3f/userscripts/XML.user.js?id=8214f41c-65d5-4e50-86b6-a5ea16f2256e:1
it http://drupal-blog.lndo.site/en/sitemap.xml:14
t http://drupal-blog.lndo.site/en/sitemap.xml:4
it http://drupal-blog.lndo.site/en/sitemap.xml:14
y http://drupal-blog.lndo.site/en/sitemap.xml:6
send http://drupal-blog.lndo.site/en/sitemap.xml:7
V http://drupal-blog.lndo.site/en/sitemap.xml:3
E_u http://drupal-blog.lndo.site/en/sitemap.xml:4
E_u http://drupal-blog.lndo.site/en/sitemap.xml:4
create eval:64
create eval:65
l eval:6
it http://drupal-blog.lndo.site/en/sitemap.xml:14
a eval:3
r eval:4
M http://drupal-blog.lndo.site/en/sitemap.xml:6
M http://drupal-blog.lndo.site/en/sitemap.xml:6
it http://drupal-blog.lndo.site/en/sitemap.xml:14
t http://drupal-blog.lndo.site/en/sitemap.xml:4
it http://drupal-blog.lndo.site/en/sitemap.xml:14
y http://drupal-blog.lndo.site/en/sitemap.xml:6
send http://drupal-blog.lndo.site/en/sitemap.xml:7
r eval:4
setTimeout eval:4
t eval:7
runListeners eval:6
run eval:7
TM_back eval:67
it http://drupal-blog.lndo.site/en/sitemap.xml:14
t http://drupal-blog.lndo.site/en/sitemap.xml:15
TM_back eval:67
TM_back eval:67
TM_back eval:68
"__c__17560039.84757176" eval:68
it http://drupal-blog.lndo.site/en/sitemap.xml:14
set http://drupal-blog.lndo.site/en/sitemap.xml:3
<anonymous> eval:1
sitemap.xml line 14 > eval:13:21
My question now is, if this is perhaps due to a certain header that isn't or is set or because of a security rule in firefox?
CodePudding user response:
From bugzilla:
Linking to view-source: is only useful for browser developers. IE already dropped support in XP SP2, citing security concerns. We should probably remove it too.
The view-source: protocol has caused quite a few security bugs in Firefox, msotly due to security checks failing to take view-source's specialness into account: https://bugzilla.mozilla.org/buglist.cgi?quicksearch=481342,762705,561051,645564,290982,290949,262689
And the protocol continues to be a danger to the security of web sites with private information or CSRF tokens: https://bugzilla.mozilla.org/buglist.cgi?quicksearch=263290,624883,973837,1171853
It is a security rule in Firefox.