开发者

Stop mobile network proxy from injecting JavaScript

I am using a mobile network based internet connection and the source code is being rewritten when they present the site to the end user.

In the localhost my website looks 开发者_如何学编程fine, but when I browse the site from the remote server via the mobile network connection the site looks bad.

Checking the source code I found a piece of JavaScript code is being injected to my pages which is disabling the some CSS that makes site look bad.

I don't want image compression or bandwidth compression instead of my well-designed CSS.

How can I prevent or stop the mobile network provider (Vodafone in this case) from proxy injecting their JavaScript into my source code?


You can use this on your pages. It still compresses and put everything inline but it wont break scripts like jquery because it will escape everything based on W3C Standards

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

On your server you can set the cahce control

"Cache-Control: no-transform"

This will stop ALL modifications and present your site as it is!

Reference docs here

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.5

http://stuartroebuck.blogspot.com/2010/08/official-way-to-bypassing-data.html

Web site exhibits JavaScript error on iPad / iPhone under 3G but not under WiFi


You're certainly not the first. Unfortunately many wireless ISPs have been using this crass and unwelcome approach to compression. It comes from Bytemobile.

What it does is to have a proxy recompress all images you fetch smaller by default (making image quality significantly worse). Then it crudely injects a script into your document that adds an option to load the proper image for each recompressed image. Unfortunately, since the script is a horribly-written 1990s-style JS, it craps all over your namespace, hijacks your event handlers and stands a high chance of messing up your own scripts.

I don't know of a way to stop the injection itself, short of using HTTPS. But what you could do is detect or sabotage the script. For example, if you add a script near the end of the document (between the 1.2.3.4 script inclusion and the inline script trigger) to neuter the onload hook it uses:

<script type="text/javascript">
    bmi_SafeAddOnload= function() {};
</script>

then the script wouldn't run, so your events and DOM would be left alone. On the other hand the initial script would still have littered your namespace with junk, and any markup problems it causes will still be there. Also, the user will be stuck with the recompressed images, unable to get the originals.

You could try just letting the user know:

<script type="text/javascript">
    if ('bmi_SafeAddOnload' in window) {
        var el= document.createElement('div');
        el.style.border= 'dashed red 2px';
        el.appendChild(document.createTextNode(
            'Warning. Your wireless ISP is using an image recompression system '+
            'that will make pictures look worse and which may stop this site '+
            'from working. There may be a way for you to disable this feature. '+
            'Please see your internet provider account settings, or try '+
            'using the HTTPS version of this site.'
        ));
        document.body.insertBefore(el, document.body.firstChild);
    }
</script>


I'm suprised no one has put this as answer yet. The real solution is:

USE HTTPS!

This is the only way to stop ISPs (or anyone else) from inspecting all your traffic, snooping on your visitors, and modifying your website in flight.

With the advent of Let's Encrypt, getting a certificate is now free and easy. There's really no reason not to use HTTPS in this day and age.

You should also use a combination of redirects and HSTS to keep all of your users on HTTPS.


You provider might have enabled a Bytemobile Unison feature called "clientless personalization". Try accessing the fixed URL http://1.2.3.50/ups/ - if it's configured, you will end up on a page which will offer you to disable all feature you don't like. Including Javascript injection.

Good luck! Alex.


If you're writing you own websites, adding a header worked for me:

PHP:
    Header("Cache-Control: no-transform");
C#:
    Response.Cache.SetNoTransforms();
VB.Net:
    Response.Cache.SetNoTransforms()

Be sure to use it before any data has been sent to the browser.


I found a trick. Just add:

<!--<![-->

After:

<html>

More information (in German):

http://www.programmierer-forum.de/bmi-speedmanager-und-co-deaktivieren-als-webmaster-t292182.htm#3889392


BMI js it's not only on Vodafone. Verginmedia UK and T-Mobile UK also gives you this extra feature enabled as default and for free. ;-) In T-mobile it's called "Mobile Broadband Accelerator" You can Visit: http://accelerator.t-mobile.co.uk or http://1.2.3.50/ to configure it.

In case the above doesn't apply to you or for some reason it's not an option you could potentially set-up your local proxy (Polipo w/wo Tor) There is also a Firefox addon called "blocksite" or as more drastic approach reset tcp connection to 1.2.3.0/24:80 on your firewall. But unfortunately that wouldn't fix the damage.

Funny enough T-mobile and Verginmedia mobile/broadband support is not aware about this feature! (2011.10.11)


PHP: Header("Cache-Control: no-transform"); Thanks! I'm glad I found this page.

That Injector script was messing up my php page source code making me think I made an error in my php coding when viewing the page source. Even though the script was blocked with firefox NoScript add on. It was still messing up my code. Well, after that irritating dilemma, I wanted to get rid of it completely and not just block it with adblock or noscript firefox add ons or just on my php page.

  1. STOP http:// 1.2.3.4 Completely in Firefox: Get the add on: Modify Headers.
  2. Go to the modify header add on options... now on the Header Tab.
  3. Select Action: Choose ADD.
  4. For Header Name type in: cache-control
  5. For Header Value type in: no-transform
  6. For Comment type in: Block 1.2.3.4
  7. Click add... Then click Start.

The 1.2.3.4 script will not be injected into any more pages! yeah!

I no longer see 1.2.3.4 being blocked by NoScript. cause it's not there. yeah.

But I will still add: PHP: Header("Cache-Control: no-transform"); to my php pages.


If you are getting it on a site that you own or are developing, then you can simply override the function by setting it to null. This is what worked for me just fine.

bmi_SafeAddOnload = null;

As for getting it on other sites you visit, then you could probably open the devtools console and just enter that into there and wipe it out if a page is taking a long time to load. Haven't yet tested that though.


Ok nothing working to me. Then i replace image url every second because when my DOM updates, the problem is here again. Other solution is only use background style auto include in pages. Nothing is clean.

setInterval(function(){ imageUpdate(); }, 1000);

function imageUpdate() {
    console.log('######imageUpdate');
    var image = document.querySelectorAll("img");
    for (var num = 0; num < image.length; num++) {
        if (stringBeginWith(image[num].src, "http://1.1.1.1/bmi/***yourfoldershere***")) {
            var str=image[num].src;
            var res=str.replace("http://1.1.1.1/bmi/***yourfoldershere***", "");
            image[num].src = res;
            console.log("replace"+str+" by "+res);
            /*
            other solution is to push img src in data-src and push after dom loading all your data-src in your img src
            var data-str=image[num].data-src;
            image[num].src = data-str;
            */
            }
        }
}

function stringEndsWith(string, suffix) {
    return string.indexOf(suffix, string.length - suffix.length) !== -1
}
function stringBeginWith(string, prefix) {
    return string.indexOf(prefix, prefix.length-string.length) !== -1
}


An effective solution that I found was to edit your hosts file (/etc/hosts on Unix/Linux type systems, C:\Windows\System32\drivers\etc on Windows) to have:

null 1.2.3.4

Which effectively maps all requests to 1.2.3.4 to null. Tested with my Crazy Johns (owned by Vofafone) mobile broadband. If your provider uses a different IP address for the injected script, just change it to that IP.


Header("Cache-Control: no-transform");

use the above php code in your each php file and you will get rid of 1.2.3.4 code injection.

That's all.

I too was suffering from same problem, now it is rectified. Give a try.


I added to /etc/hosts

1.2.3.4 localhost

Seems to have fixed it.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜