Stop mobile network proxy from injecting JavaScript

Question

I am using a mobile network based internet connection and the source code is being rewritten when they present the site to the end user.

In the localhost my website looks fine, but when I browse the site from the remote server via the mobile network connection the site looks bad.

Checking the source code I found a piece of JavaScript code is being injected to my pages which is disabling the some CSS that makes site look bad.

I don't want image compression or bandwidth compression instead of my well-designed CSS.

How can I prevent or stop the mobile network provider (Vodafone in this case) from proxy injecting their JavaScript into my source code?

Answer 1

You can use this on your pages. It still compresses and put everything inline but it wont break scripts like jquery because it will escape everything based on W3C Standards

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

On your server you can set the cahce control

"Cache-Control: no-transform"

This will stop ALL modifications and present your site as it is!

Reference docs here

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.5

http://stuartroebuck.blogspot.com/2010/08/official-way-to-bypassing-data.html

Web site exhibits JavaScript error on iPad / iPhone under 3G but not under WiFi

Answer 2

You're certainly not the first. Unfortunately many wireless ISPs have been using this crass and unwelcome approach to compression. It comes from Bytemobile.

What it does is to have a proxy recompress all images you fetch smaller by default (making image quality significantly worse). Then it crudely injects a script into your document that adds an option to load the proper image for each recompressed image. Unfortunately, since the script is a horribly-written 1990s-style JS, it craps all over your namespace, hijacks your event handlers and stands a high chance of messing up your own scripts.

I don't know of a way to stop the injection itself, short of using HTTPS. But what you could do is detect or sabotage the script. For example, if you add a script near the end of the document (between the 1.2.3.4 script inclusion and the inline script trigger) to neuter the onload hook it uses:

<script type="text/javascript">
    bmi_SafeAddOnload= function() {};
</script>

then the script wouldn't run, so your events and DOM would be left alone. On the other hand the initial script would still have littered your namespace with junk, and any markup problems it causes will still be there. Also, the user will be stuck with the recompressed images, unable to get the originals.

You could try just letting the user know:

<script type="text/javascript">
    if ('bmi_SafeAddOnload' in window) {
        var el= document.createElement('div');
        el.style.border= 'dashed red 2px';
        el.appendChild(document.createTextNode(
            'Warning. Your wireless ISP is using an image recompression system '+
            'that will make pictures look worse and which may stop this site '+
            'from working. There may be a way for you to disable this feature. '+
            'Please see your internet provider account settings, or try '+
            'using the HTTPS version of this site.'
        ));
        document.body.insertBefore(el, document.body.firstChild);
    }
</script>

Answer 3

I'm suprised no one has put this as answer yet. The real solution is:

USE HTTPS!

This is the only way to stop ISPs (or anyone else) from inspecting all your traffic, snooping on your visitors, and modifying your website in flight.

With the advent of Let's Encrypt, getting a certificate is now free and easy. There's really no reason not to use HTTPS in this day and age.

You should also use a combination of redirects and HSTS to keep all of your users on HTTPS.