Does browser 'view-source' mode avoid scripting attacks?

Yes, it is absolutely safe (in Google Chrome) to open an untrusted website in view-source mode. The key point to note here is that you should "open" the page in view-source mode, meaning you should not allow any rendering to happen by normally loading the webpage first and then viewing the source.

An example in Google Chrome would be view-source:http://www.badjs.com/

By design, Google Chrome will initiate a new GET request to the server and provide the client browser with the unrendered version of the webpage when in view-source mode.

You could also use a No-Script extension or add-on for your specific browser to prevent any scripting attacks.


While it is currently safe on Chrome you should not base your future checks on that. Things may change anytime and I have not seen the lack of rendering as being a specifically documented feature.

If you want to look at the code, it is much better to download the page via a command-line tool (curl for instance) and analyze what was loaded and saved in a file. This also has the added value of easily testing various pages which may be possibly served in response to different User-Agents.