Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to prevent an external JS request

Tags:

I'm using a service that automatically constructs and hosts launch pages. In the body of their code, they have a call to jquery:

<script type="text/javascript" src="//ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js?cache=2015-09-22-09"> 

Unfortunately, since I'm in China, googleapis.com is blocked and the page has to wait for this code to timeout before it will render. This portion is autogenerated as part of the template and I can't change it. However I can insert custom javascript in the head and the body.

Are there any ways I can prevent this code from making the request to googleapis.com or to force it to abort after it has already made the request?

-EDIT-

Here's a screen cap of the network tab when I try to load the page. As you can see, the call to googleapis.com hangs for 1.4 mins until it times out, at which point DomContentLoaded triggers and the entire page loads.

enter image description here

like image 343
enfieldacademy Avatar asked Sep 22 '15 11:09

enfieldacademy


People also ask

How do I block a script?

Go in Chrome Dev Tools -> Network and select JS then reload the page. You'll see all the scripts, you can right click on a script to block it. It's the same process in Firefox.

Can external JavaScript be cached?

Yes it will cache it. So use timestamp or the updated version in the url via query string.

What is more appropriate way to include JavaScript as an external file?

Learn HTML After creating, add it to the HTML file in the script tag. The src attribute is used to include that external JavaScript file. If you have more than one external JavaScript file, then add it in the same web page to increase performance of the page.


1 Answers

Right, if you are able to put html in the head of the document, not just execute javascript you could use a meta tag to block external script loading:

<meta http-equiv="Content-Security-Policy" content="script-src 'self'"> 

From the Mozilla Content-Security-Policy Meta Tag Docs:

Authors are strongly encouraged to place meta elements as early in the document as possible, because policies in meta elements are not applied to content which preceds them. In particular, note that resources fetched or prefetched using the Link HTTP response header field, and resources fetched or prefetched using link and script elements which precede a meta-delivered policy will not be blocked.

So the meta tag will only work in the head, certainly before the script which loads jQuery. You can whitelist URL's in the tag by adding them into the content parameter in the meta tag too.

If you can only execute javascript, you can add the meta tag dynamically. Unfortunately it is likely the browser has probably decided on it's policies by the time it is added. Nevertheless, it can be added with

var meta = document.createElement('meta'); meta.httpEquiv = "Content-Security-Policy"; meta.content = "script-src 'self'"; document.getElementsByTagName('head')[0].appendChild(meta); 

More Interesting reading material homework for solving the 'Prevent an external js request' mystery:

Use JavaScript to prevent a later `<script>` tag from being evaluated?

Good Luck!

like image 94
RepeatQuotations Avatar answered Sep 26 '22 03:09

RepeatQuotations