Wednesday, October 21st, 2009

Implied globals in browsers

Category: IE, JavaScript, Security

Stoyan Stefanov has done some testing on so called implied globals in browsers. One of the interesting finds was that the meta description is accessible in JavaScript using object property notation on IE and other browsers.

  1. <meta name="description" content="test me" />

  1. alert(description.content); // "test me"

Furthermore, you can use document.getElementById('description') will give you that DOM node although it has no ID!

Stoyan has a test page up to see what browser behaves that way and there’s an interesting comparison table in the blog post. Also be sure to check the comments for more baffling findings.

Posted by Chris Heilmann at 10:35 am

2.1 rating from 53 votes


Comments feed TrackBack URI

what are the applications of this easter egg? Could we do anything useful with this data?

Comment by jaysmith — October 21, 2009

@jaysmith: More to the point, SHOULD we do anything with it? Likely answer is no.

Comment by willbo — October 21, 2009

@jaysmith + willbo: I’ve used something like this on a project where I had to customize a third party app, but didn’t have direct access to metas.

Comment by WillPeavy — October 21, 2009

My understanding was that IE browsers will always look at the name property for getElementById(), not just in meta tags.

Comment by sentientholon — October 21, 2009

“tags” (and unsurprisingly, “all”) are other “reserved”-type keywords that IE doesn’t like – or rather, has native DOM ties. I’m surprised that description shows up in other browsers, though; didn’t expect that.

Comment by Schill — October 21, 2009

description: undefined
robots: undefined
paragraph-id: undefined
paragraph-name: undefined
form-name: undefined
form-id: undefined
input-name: undefined
input-id: undefined
link-name: undefined
link-id: undefined
div-name: undefined
div-id: undefined


Comment by Darkimmortal — October 21, 2009

Do you have more than 1 browser installed?

Nonsense like this is why everyone I know has long ago stopped reading Ajaxian.

Comment by SubtleGradient — October 21, 2009

additional info can be found:

Comment by jdalton — October 21, 2009

@jaysmith @willbo
I didn’t think you can do anything useful with it (WillPeavy proves me wrong though), but more of a heads-up. Imagine your app dynamically creates a textarea with id=”description” after some user interaction. Somewhere else in the code you want to check if this textarea exists. So you go:

if (document.getElementById('description')){}

and IE will wrongly evaluate this to true because your SEO guy added meta tags and broke your app :)

@Schill – yes, it was dissapointing that other browsers have followed. I guess it was meant to help the developer, but the road to hell is paved with good intentions ;)

@Darkimmortal – yes, that’s the result of running the test page in Firefox – the only browser that didn’t create globals for no good reason.

Comment by stoyan — October 21, 2009

@vcohen, this doc is irrelevent, as it only deals with the anchor tag, not at all with getElementById which should ONLY look at the id. Anyway, there really shouldn’t be so many “shortcuts” to nodes from the DOM without any explicit action, this may decrease performance too. I think this is the kind of stuff that makes IE even slower than it should. Firefox 3.5 seems to do the right thing : it doesn’t make variables from everything in the DOM.

Comment by fabienmenager — October 22, 2009

I noticed this weird behaviour some times ago, when I wrote a page with the meta “copyright” and a form with a field whose id was ‘copyright’

Comment by fcaldera — October 22, 2009


Comment by ExtAnimal — October 22, 2009

Good knowledge to have. I strongly dislike polluted global name spaces.

Comment by mjuhl — October 28, 2009

I’d love to see some speed tests between the following methods:

// vs.

MyScope = ({version:”1.2.3″});

also what if you wanted to define `` ? =\

Comment by deadlyicon — October 31, 2009

I’d love to see some speed tests between the following methods:

<meta name="MyScope" version="1.2.3" />
// vs.
<script type="text/javascript">
MyScope = ({version:"1.2.3"});

also what if you wanted to define `` ? =\

Comment by deadlyicon — October 31, 2009

Leave a comment

You must be logged in to post a comment.