JavaScript/jQuery callback to server with no supporting executable backend

Question

A fellow techie asked me today if jQuery (or JavaScript in general) could ping back to its source of origin and get information about the filesystem without the use of executable code. My knee jerk answer was that there would be no way that IIS would allow this to happen without the use of AJAX, ASP.NET or some other executable technology. In other way of putting it, no way that JavaScript running from a static HTML page could pull back information about the webserver it came from.

Again, this was the knee jerk answer, just due to security concerns, this would not be possible... but I do not claim to be an all knowing JavaScript/jQuery expert, so I put this out to all of you. If you know of a way this can be done or if you know for certain that it cannot be done, either way I appreciate your feedback.

Thank you.

-Jessy Houle

---

With the solutions thus far, they all require server side technologies, either ASP, ASP.NET, PHP, Web Services, etc. To better illustrate the problem, I'll give you the exact scenario.

There is a group of 10 HTML files, all static with only HTML/CSS/JavaScript sitting on a website on an IIS webserver. ASP, ASP.NET, PHP, and all other server side technologies are not allowed. These 10 HTML files have names that change and sizes that change, etc. The issue that needs to be solved is to display information about the files that are in that directory at that point and time (without directory browsing enabled, I'll add).

1. REQUEST fileinfo.html from IIS
2. Browser contains fileinfo.html
3. fileinfo.html has JavaScript/jQuery that calls back out to IIS to get file and size information
4. IIS reports back to the JavaScript/jQuery information about the files

I don't think step 3 is possible without the use of some sort of server side technology. BUT, I just want to make sure there isn't a new hack I've heard about.

Answer 1

All you need to do is find a way to include webserver information and stick it in a html file.

You could use a cron job that updates a static page with statistics, or use <insert language here> to dynamically generate it.

I can speak specifically for IIS, but Tomcat comes with a status xml feed that would cover something list this: http://localhost:8080/manager/status?XML=true

Answer 2

The only extent to which you can get "information about the filesystem" without code on the server being set up for the purpose of providing you that information is the "information about the filesystem" implicit in URL paths and, if available, indexes.

Answer 3

EDIT

In the specific scenario you described in the second part of your question, I would have to say no. I really don't see how you could employing only Javascript determine the number or files, sizes and names on the server.

---

Previously, I stated that you could, provided that you allowed yourself to make use of the XML HTTP Request object which is available in most browsers Javascript implementation and that you allow that some filesystem information could be inferred by identifying the Server software that is running on the server (i.e. if it's IIS it's probably NTFS, if it's Appache it's likely ext3.. and so on).. Admittedly, not a perfect solution and a hacky one at best.

This page shows how to use the XML HTTP Request object. In particular, look for the example that show how to obtain the HTTP Headers. From there, all you need to do is make a request to the server that is hosting your javascript file and then inspect the Server header line which should tell you about the server that's hosting the file that you requested.

Answer 4

No, it is not possible unless the webserver publishes this information somehow. As you say, an executable needs to be run at some point (either to publish static information or check on the fly at the time of the request). The AJAX works by having URLs on the backend. If there is no URL to get file system information, it's not possible.

The above answers that outline how to make it possible all rely on running executable code at some point to publish the information to a URL. I had to read the question twice to be sure the point that the questioner is coming from is security not "how to".

Answer 5

The only thing I can think of that might work without resorting to server side scripting is to allow directory browsing and use a hidden frame to load the directory in the browser and then use JavaScript to parse the HTML of the hidden frame and get the information you need from that.

But this is a hack and not a very good solution. Plus it may violate your no directory browsing stipulation - while the directory isn't directly viewable by the average user, because it is indexable and because you are displaying it in a hidden frame, it wouldn't take much for someone to figure out how to view the contents of that directory.

Answer 6

If you know the list of filenames in advance, or can generate/enumerate the likely filenames in Javascript, you can certainly test for their existence, modification time, and size using HTTP HEAD requests via the XMLHttpRequest object, or more simply, the jQuery $.ajax function:

urls = ["/file1.html", "/file2.html", "..."]
$.each(urls, function(url) {
  $.ajax(type: "HEAD", url: url, complete: function(data) {
    var headers = XMLHttpRequest.getAllResponseHeaders()
    # ...iterate over headers, using 'Content-Length', 'Content-Type', etc., 
    # to infer needed file information
  })
})

If the filenames cannot be known in advance, or generated programatically, however, you will be unable to enumerate them unless DAV is turned on for the directory in question. However, any host unwilling to let you use PHP or ASP is also unlikely to provide DAV services. (If you do have DAV, however, you can use the PROPFIND HTTP verb to get the contents of a directory as XML, and then process that XML in Javascript on the client.)