Is there any way to stop browser add-ons from injecting HTML code?
I am having a website built in angularjs but because of some browser add-ons my route is getting messed up, this is the HTML snippet which is causing some errors in my angularjs:
<script async="" src="http://b.scorecardresearch.com/beacon.js"></script>
<script type="text/javascript" async="" src="http://in1.perfectnavigator.com/d.php?id=57573&eid=&vdisp=0&u=http://www.domain.com/app/#/users&r=http://www.domain.com/site/profile/view/&vdisplayEn=0&vsliderEn=1&bannerAds=1&usadservEx=Oj45JDs7PTUiNg&lrc=0&curatedSite=0"></script>
<script type="text/javascript" src="https://api.jollywallet.com/affiliate/client?dist=111&sub=1&name=Browser%20Extensions"></script>
<script type="text/javascript" src="https://colo.cachefly.net/js/min.inject.js?id=Pz8sOCA"></script>
<script type="text/javascript" src="https://colo.cachefly.net/js/min.inject.js?id=Pz8sOis"></script>
<script type="text/javascript" src="https://colo.cachefly.net/js/min.inject.js?id=Pz8sOiA"></script>
<script type="text/javascript" src="https://colo.cachefly.net/js/min.inject.js?id=Pz8sOSA"></script>
<script type="text/javascript" src="https://colo.cachefly.net/js/min.inject.js?id=Pz8sOSs"></script>
<script type="text/javascript" src="http://www.superfish.com/ws/sf_main.jsp?dlsource=hhnkdzlc&CTID=ssaddon"></script>
<script type="text/javascript" src="http://istatic.datafastguru.info/fo/min/abc1RSQC.js"></script>
<script type="text/javascript" src="http://i.swebdpjs.info/sweb/javascript.js"></script>
<script type="text/javascript" src="http://cond01.etbxml.com/conduit_bundle/web/hotels.php?mamId=G8K2&userId=2222&appId=3333&&ui=1&ns=ETB_Hotels_Widget&partner=smg"></script>
<script type="text/javascript" src="http://cdn.visadd.com/script/14567725590/preload.js"></script>
<script type="text/javascript" src="https://www.tr553.com/InterYield/bindevent.do?e=click&affiliate=harel777&subid=iy&ecpm=0&debug=false&snoozeMinutes=1&adCountIntervalHours=24&maxAdCountsPerInterval=6&endpoint=https%3A%2F%2Fwww.tr553.com"></script>
<script type="text/javascript" src="https://intext.nav-links.com/js/intext.js?afid=wolfpack&subid=def&maxlinks=4&linkcolor=006bff&wiki=1"></script>
<script type="text/javascript" src="http://www.adcash.com/script/java.php?option=rotateur&r=234715"></script>
<script type="text/javascript" id="jw_00" src="//d2cnb4m0nke2lh.cloudfront.net/jollywallet/resources/js/2/affiliate_client.js"></script>
<script src="//jsgnr.datafastguru.info/fl/blm"></script>
<script src="//jsgnr.datafastguru.info/site-classification"></script>
<script src="//jsgnr.datafastguru.info/fl/blm"></script>
<script src="//jsgnr.datafastguru.info/bwl/wl"></script>
<script src="//jsgnr.datafastguru.info/fl/blm"></script>
<script src="//pstatic.datafastguru.info/fo/ecom/lang.js?c=in"></script>
<script src="//pstatic.datafastguru.info/rss/min/fo.min.js?v=2_3_621&b=dynamic&l=right"></script>
<script src="//jsgnr.datafastguru.info/bwl/wl?v=1"></script>
<script src="//jsgnr.datafastguru.info/site-classification"></script>
<script src="//pstatic.datafastguru.info/fo/ecom/lang.js?c=in"></script>
<script src="//jsgnr.datafastguru.info/bwl/wl?v=1"></script>
<script src="//pstatic.datafastguru.info/rb/min/fo.min.js?v=1_1_63"></script>
<script src="//jsgnr.datafastguru.info/bwl/bl"></script>
<script src="//jsgnr.datafastguru.info/bwl/bl?v=1"></script>
<script src="//jsgnr.datafastguru.info/bwl/bl?v=1"></script>
<script type="text/javascript" src="http://www.superfish.com/ws/sf_preloader.jsp?dlsource=hhnkdzlc&CTID=ssaddon&ver=2014.11.25.14.48"></script>
Because of this my URL which was:
www.domain.com/app/#/users
changes to
www.domain.com/users
And I am getting URL related errors: TypeError: Cannot read property 'charAt' of undefined
If I run my website on a browser without any add-ons it works like a charm, but with the above add-ons I am getting errors.
One of our websites user's is facing this issue. Is there any solution to get rid of this?
I looked a bit into intercepting the <script>
element injection into the document and prevent loading the code. Disclaimer: I'm no expert on this subject, I just wanted to share what I tried.
At first, I played a bit with MutationObserver
, watching the DOM for the creation of a <script>
element, and removing it. I came up with the following snippet, added at the very beginning of my HTML page, supposedly to make it load first:
// Create the observer, registering our intercepting callback
var obs = new MutationObserver(function (mutations, obs) {
// Loop over reported mutations
mutations.forEach(function (mutation) {
// childList means nodes have been added. That's the only thing
// we're interested in
if (mutation.type !== 'childList') return;
// Check the added nodes
for (var i=0; i < mutation.addedNodes.length; i++) {
var node = mutation.addedNodes[i];
// Ignore all but SCRIPT elements
if (node.nodeName !== 'SCRIPT') return;
// Remove it
node.parentNode.removeChild(node);
console.log(node.nodeName);
}
});
});
// Start observer
obs.observe(document, {subtree: true, childList: true});
Obviously, this was doomed to fail. If I need to ask a parent element to remove the node, that means it was already added to the DOM and loaded (loading, at least) when I came in to prevent it.
I tried to get there earlier, by overriding document.createElement
and returning <div>
s instead of <script>
s:
document.createElementOriginal = document.createElement;
document.createElement = function (tagName) {
if (tagName.toLowerCase() == 'script') {
console.log('Script interception');
tagName = 'div';
}
return document.createElementOriginal(tagName);
};
But no luck. Looking at the console, no interception was reported. Still too late.
I can only conclude that the extension data is injected before any script on my page is executed, or that the element injection is made in an way independent of the scope I could access in my code.
If you have any suggestion in how I could investigate further, feel free to point me in that direction.
Tell the user to uninstall her add-ons.
OR, if you are truly intent on making your website compatible with this user's array of add-ons (perhaps she is a person of high importance, or she represents many people in an organization in which everyone has these add-ons installed?)...
Designate the line of code at which the error is thrown, and set a breakpoint there. Here are instructions on how to do that in Chrome. Walk your way up the call stack and see if you can find any clues.
If that does not work, try removing some of those scripts. Find out which ones, when removed, solve the issue. Try as many combinations as you are willing to try. Once you have found the culprit script, determine which add-on injected it. Instruct the user to uninstall this add-on, otherwise she will not be able to use your website.
If you want to work around the existence of this script, and you really think it's worth your time (it probably isn't), you can examine the culprit script and try to find out where it's screwing you up. If the script is minified, you can drop it into a deobfuscator like jsnice and scour it. Of course, that will take forever.
In a final bid to get your site to work alongside these add-ons, you could employ various hacks, like wrapping your code in try catch
blocks and redirecting on errors, using setTimeout
to sidestep errors, etc etc... but really, the easy and obvious solution is to uninstall the add-ons.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With