My scripts are inlined by some mobile carriers - How to deal with that?

Question

Some pages aren't correctly received on mobile phones (many ones in France) : JavaScript script elements are inlined.

Instead of having

 <script src="static/jquery-2.1.3.min.js"></script>

I have

 <script> ... content of the whole jQuery script ... </script>

As the Content Security Policy header I set forbids inline scripts, modern browsers block the execution of the script.

Is there a way to deal with that other than using HTTPS ? Maybe some way to specify the page shouldn't be rewritten by third parties ?

Notes :

• the CSP header isn't enough a hint for the third-party doing the transformation
• the Cache-Control:no-transform header is ignored as well
• any answer involving the addition of an inline script isn't an answer as the goal is to remove all inline scripts for security
• the problem isn't related to the injection of supplementary scripts (that wouldn't break my site as the browser is instructed not to execute them) but to the inlining of the existing scripts
• the problem isn't specific to any operator : I'm looking for a (reasonnably) general solution

Answer 1

Not the most elegant solution, but you can always try to trick the ISP into thinking it is not a js resource by changing the file extension (which would probably induce a change in the mime type in the header you send).

Serve the file as jquery.java or some other extension. Again, not the most elegant solution, but as tadman says in the comments, sometimes it isn't easy to deal with jerks.