How can I load a web page into a new window and inject JavaScript code into it?

Using JavaScript, how can i open a new window (loading, say, http://www.google.com in the process) and inject/insert this code into its body:

<script type="text/javascript">alert(document.title);</script>

I know how to open a new window, but i don't know how to add the script to the new window and run it:

var ww = window.open('http://www.google.com');


<strong>No</strong>. This would violate the <strong>same origin policy</strong> implemented by most (all?) browsers to protect their users.

Imagine if this were possible: You could convince users to come to your site, open a new window with, say, their bank's website loaded into it, and inject code to steal their credentials. Then proceed to steal their money, identity, etc...

Not good, eh? So be very, very glad it isn't possible.


See also: Same-origin policy for DOM access in the Browser Security Handbook


This worked on the firebug console:

>>> var x = window.open(""); Window opened >>> x Window about:blank >>> x.document Document about:blank >>> x.document.write("<script type='text/javascript'>alert('h1');</script>"); Alert popped up


Your ww var is a reference to the new window object. So ww.window.title would be the title of the window you have opened.

If you wish to manipulate your new window you should do it via your ww var.


The best approach is having your web-site (the one your script comes from) to act as a proxy and download url in question for you. You can therefore modify response on the server, or locally on the client.


  • DDD - Mapping Value Objects with Fluent nHibernate in separate tables
  • getJSON fails, JSON validates
  • Admob add within multiple activities
  • Start X server on Google Cloud (Debian) Compute Engine
  • How to draw shapens inside shapes?
  • Replace “names” of columns of a data frame with different (new) names in another file in R
  • One Definition Rule: Can corresponding entities have different names?
  • ws_xpixel and ws_ypixel
  • F# OleDb Syntax Error in INSERT INTO Statement Pulling Data from Access to Linked SQL Server
  • Extracting Remote endpoint Object from Spring websocket session
  • CFNetwork SSLHandshake failed (-9806) & (-9800) & (-9830)
  • Accessing Windows Azure Queues from client side javascript/jquery
  • Linux over commit heuristic
  • JSON - slashes not escaping
  • Google Maps api v3 get start and end coordinates of a street
  • PayPal API Listener Website Payments Standard URI
  • Repository Browser Only - \"Repository moved permanently to… please relocate”
  • Hide HTML elements without javascript, only CSS
  • C++ pointer value changes with static_cast
  • Marklogic : Query response time is very high
  • MongoDB in PHP using aggregate to group by _id is null not working
  • Display issues when we change from one jquery mobile page to another in firefox
  • Javascript convert timezone issue
  • To display the title for the current loaction in map in iphone
  • SVN: Merging two branches together
  • Hibernate gives error error as “Access to DialectResolutionInfo cannot be null when 'hibernate.
  • How to delete a row from a dynamic generate table using jquery?
  • trying to dynamically update Highchart column chart but series undefined
  • python regex in pyparsing
  • Suggestions to manage Login/Logout transitions
  • using HTMLImports.whenReady not working in chrome
  • Angular 2 constructor injection vs direct access
  • How to CLICK on IE download dialog box i.e.(Open, Save, Save As…)
  • Java static initializers and reflection
  • Can Visual Studio XAML designer handle font family names with spaces as a resource?
  • Android Google Maps API OnLocationChanged only called once
  • Authorize attributes not working in MVC 4
  • EntityFramework adding new object to nested object collection
  • UserPrincipal.Current returns apppool on IIS
  • git trying to push non-existent file … after clearing cache