Appending a block of javascript to the DOM fails in production - but not in dev

Question

I have an ASP.NET website. Very huge!

The latest addition I've made, everything is JavaScript/AJAX enabled.

I send HTML and JavaScript code back from the server to the client, and the client will inject the HTML into a DIV - and inject the JavaScript into the DOM using this:

$('<script type="text/javascript">' + script + '</sc' + 'ript>').appendTo(document);

or this:

var js = document.createElement("script");
js.setAttribute("type", "text/javascript");
js.text = script;
document.appendChild(js);

On my own dev machine, the injected javascript is accessible and I'm able to execute injected JavaScript functions.

When I deploy to my test environment, )we have an internal domain name such as www.testenv.com) I get JavaScript errors.

I've tried to isolate the problem into a small page, where I inject alert("sfdfdf"); at the bottom of the page, and that works fine.

Is there any policy settings that prohibits this?

Answer 1

Dynamically creating elements should work fine, the script will be executed upon insertion into the DOM. To answer your question specifically, there are no direct policy settings that prohibit script injection, however, if you're using ajax calls within the dynamically inserted script you could run into Cross-Domain restrictions.

If you could post the error, and maybe the source of the 'script' element you're inserting it would help to debug the problem :)

Answer 2

Don't appendChild to 'document'; <script> can't go there and you should get a HIERARCHY_REQUEST_ERR DOMException according to the DOM Level 1 Core spec. The only element that can go in the Document object's child list is the single root documentElement, <html>.

Instead append the script to an element inside the document, such as the <body>.