It's not a good idea to just grab a copy of the page's code that does this.
Consider: you get a Content Security Policy error, because you're trying to execute a piece of code from a remote server. While you can relax the policy, let me first explain why is this a security problem.
Currently, your code loads http://dota2.cyborgmatt.com/prizetracker/data/ti4.json
and executes its contents, without verifying what they are. Right now it looks like this:
populatePrizePool({"dollars":3129676});
But: this is a website you do not control.
Imagine: you write your extension, it becomes popular, admins of the site notice the unusual traffic, change their code to load http://dota2.cyborgmatt.com/prizetracker/data/ti4_.json
instead, and after a bit of googling replace the original link's contents with this:
alert("By the way, Ramana Venkata is stealing our data. Sincerely, cyborgmatt.com");
And suddenly, your extension doesn't work, you have an angry mob of users, and are slightly embarrassed.
You see the problem? It could be worse, as the replacement code can be as evil as JS permits. Since HTTP traffic is trivial to intercept, it doesn't even take cyborgmatt.com admins to inject arbitrary code in your extension, and that is why it's not even possible to relax the policy in this way.
Now, to solve the problem. Instead of AJAX-loading the code, you should just load this file, parse it to get the JSON data (i.e. {"dollars":3129676}
), safely parse and validate that data, and only then use it. This way, if the above scenario happens, at least nothing evil comes of it.
Step 1: Get the data.
Replace the $.ajax
call with XHR:
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function(){
if (xhr.readyState == 4) {
parseAndValidate(xhr.responseText);
}
};
xhr.open("GET", "http://dota2.cyborgmatt.com/prizetracker/data/ti4.json", true);
xhr.send();
Step 2: Parse and validate.
You have a string that you expect to have the following format: populatePrizePool(SOME_JSON);
, and you expect the JSON data to contain a non-negative number dollars
.
function parseAndValidate(str){
var some_json;
// First, extract `SOME_JSON` with a regular expression:
if(str.match(/populatePrizePool\((.*)\);/)) {
some_json = str.match(/populatePrizePool\((.*)\);/)[1];
} else {
throw Error("Unexpected format for ti4.json");
}
// Second, _safely_ parse `some_json`:
var data = JSON.parse(some_json); // Will throw an exception if something's not right
// Third, ensure that the JSON has the required data:
if( !data.dollars || typeof data.dollars !== "number" || data.dollars < 0) {
throw Error("Unexpected data format for ti4.json");
}
// Finally, call the function:
populatePrizePool(data);
}
This may be a little overkill for your tiny project, but it's a learning experience. Do not blindly trust data you don't control, even less code you don't control.