Put simply:
Is it possible for an external Javascript code to inject another script that is hosted on a completely different domain into the page's Document Object Model (DOM)?
For example:
Imagine the website foo.com which has an html script tag with its src attribute set to http://bar.xyz/script.js.
Can the content of script.js inject http://qux.net/abc.js (which is hosted on qux.com)?
http://foo.com/
<script src="http://bar.xyz/script.js"></script>
// Content of bar.xyz/script.js:
!(function(){
var k = document.createElement('script')
, s = document.getElementsByTagName('script')[0];
k.type='text/javascript'; k.async=true;
k.src = document.location.protocol+'//qux.net/abc.js';
s.parentNode.insertBefore(k,s);
//…
})();
I attempted to inject abc.js but encountered no errors or alerts in the console.
Are there any security restrictions in place that prevent this from happening?
I'm still researching articles and Stack Overflow threads on this topic…
Thank you.