I have a very simple bit of code on a website
jQuery("#slist").load("sg-custom-code/SG-ajaxGetPastProds.php",{pd: jQuery(this).val()});
The path 'sg-custom-code' is off the root of the site. However the (Joomla) site uses SEO-friendly urls so it appends the apparent url of the page root (derived from the menu path) and tries to go to https://xxx.co.uk/everything-else/players/past-productions/sg-custom-code/.... and of course fails. The actual url should obviously be https://xxx.co.uk/sg-custom-code....
I can fix it by writing
jQuery("#slist").load("https://xxx.co.uk/sg-custom-code/SG-ajaxGetPastProds.php",{pd: jQuery(this).val()});
... but if a user then uses www.xxx.co.uk instead of xxx.co.uk it will fail with a CORS error!
Any ideas for how to work around this?
Edit: While trying to find the solution, the topic has changed a bit - TL;DR: See the answer. For all interested in the development of the topic, go on ;-)
The title might be confusing, but I don't know how to put it in better words - let's say I have a simple view function:
#app.route('/chart')
def chart():
return render_template('chart.html')
If I open now directly this view in the browser, via "http://localhost:5000/start", it works perfectly fine - the javascript stuff works as expected (drawing a chart, using a slider to call different views etc.).
However, using a link from an other template does not work, e.g. I have a root view:
#app.route('/')
def index():
return render_template('index.html')
and inside of this index.html a link directed to '/chart':
Chart
Now, pressing that link, it loads my template, I can see the basic html stuff, but the javascript code doesn't load/start at all (also the source code received by the browser is proper). In both scenarios the server receives the same command:
127.0.0.1 - - [13/May/2015 10:48:18] "GET /chart HTTP/1.1" 200 -
But only if I open it directly in the browser it works as expected.
Is there something wrong with my link/redirect?
Edit: I found the one single line which causes the problems: In my index.html I'm loading jQuery mobile:
<script src="http://code.jquery.com/mobile/1.4.5/jquery.mobile-1.4.5.min.js"></script>
Removing this line, everything works as expected - but of course I do wan't to have it included, why and how can this influence the link behavior?
By default, jQuery uses Ajax to handle page requests. This allows for smooth transition between pages (without the page refresh feel), but it also means that only the body of the requested page will be loaded - and therefore no javascript libraries included in the header.
Therefore all necessary javascript has to be included in the header of the original site, or instead a page request has to be done without ajax, using the data-ajax="false"attribute. This will do a real page refresh, without ajax transition.
For more information read this.
This question has nothing to do with the mixed content error. About to launch a site. When i navigate from http://example.com to https://example.com, i notice that the css/js/etc is redownloaded as i am using root relative paths: .
Using an http sniffer i see that the browser thinks https://www.example.com/_css/main.css is different than http://www.example.com/_css/main.css (its not). Thus the same exact content is downloaded twice causing the site to look slow navigating from http to https (if the user doesn't have both versions cached already).
Is there anyway to stop this? The user will almost always hit up the non-ssl version of the site first so is there a script that will wait until the http content is loaded than maybe force a https version into the users cache? Or should i just use absolute paths (https://www.example.com/_css/main.css) on ever page and on every css background image (only 2 i use sprites). Or do we just live with it? Thanks.
Using an http sniffer i see that the browser thinks https://www.mysite.com/_css/main.css is different than http://www.mysite.com/_css/main.css (its not).
It is a different resource with identical content. The browser has no way to know that they are going to have the same content.
You can redirect (with a 301) from one to the other so you don't have a non SSL version.
Is there anyway to stop this?
Not really.
The user will almost always hit up the non-ssl version of the site first so is there a script that will wait until the http content is loaded than maybe force a https version into the users cache?
No. It would be a horrible security problem if a URL could precache content for arbitrary other URLs.
Or should i just use absolute paths (https://www.mysite.com/_css/main.css) on ever page and on every css background image (only 2 i use sprites).
That would work, but lead to mixed content issues.
Or do we just live with it?
Yes.
There are a couple ways to fix this.
Use a base tag. Then use relative paths for your resources and caching will be perceived to work for http and https, though really it was just loaded on https already. Demonstration
<base href="https://example.com/" />
Redirect everything to SSL when the user hits the site the Apache way (Redirect SSL)
Redirect permanent / https://example.com/login
You can use an .htaccess RewriteRule to load the https content every time; or a redirect header specified in the http version of the html would work more slowly (extra round-trip) but otherwise just as well, I believe.
Use protocol-relative paths.
Instead of this
<link rel="stylesheet" href="http://domain.com/style.css">
<link rel="stylesheet" href="https://domain.com/style.css">
use this
<link rel="stylesheet" href="//domain.com/style.css">
then it will use the protocol of the parent page.
You can reference the files without the protocol specifier, e.g.:
<link rel="stylesheet" type="text/css" href="//mysite.com/_css/main.css" />
See this post for more details:
Can I change all my http:// links to just //?
I am using a mobile network based internet connection and the source code is being rewritten when they present the site to the end user.
In the localhost my website looks fine, but when I browse the site from the remote server via the mobile network connection the site looks bad.
Checking the source code I found a piece of JavaScript code is being injected to my pages which is disabling the some CSS that makes site look bad.
I don't want image compression or bandwidth compression instead of my well-designed CSS.
How can I prevent or stop the mobile network provider (Vodafone in this case) from proxy injecting their JavaScript into my source code?
You can use this on your pages. It still compresses and put everything inline but it wont break scripts like jquery because it will escape everything based on W3C Standards
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
On your server you can set the cahce control
"Cache-Control: no-transform"
This will stop ALL modifications and present your site as it is!
Reference docs here
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.5
http://stuartroebuck.blogspot.com/2010/08/official-way-to-bypassing-data.html
Web site exhibits JavaScript error on iPad / iPhone under 3G but not under WiFi
You're certainly not the first. Unfortunately many wireless ISPs have been using this crass and unwelcome approach to compression. It comes from Bytemobile.
What it does is to have a proxy recompress all images you fetch smaller by default (making image quality significantly worse). Then it crudely injects a script into your document that adds an option to load the proper image for each recompressed image. Unfortunately, since the script is a horribly-written 1990s-style JS, it craps all over your namespace, hijacks your event handlers and stands a high chance of messing up your own scripts.
I don't know of a way to stop the injection itself, short of using HTTPS. But what you could do is detect or sabotage the script. For example, if you add a script near the end of the document (between the 1.2.3.4 script inclusion and the inline script trigger) to neuter the onload hook it uses:
<script type="text/javascript">
bmi_SafeAddOnload= function() {};
</script>
then the script wouldn't run, so your events and DOM would be left alone. On the other hand the initial script would still have littered your namespace with junk, and any markup problems it causes will still be there. Also, the user will be stuck with the recompressed images, unable to get the originals.
You could try just letting the user know:
<script type="text/javascript">
if ('bmi_SafeAddOnload' in window) {
var el= document.createElement('div');
el.style.border= 'dashed red 2px';
el.appendChild(document.createTextNode(
'Warning. Your wireless ISP is using an image recompression system '+
'that will make pictures look worse and which may stop this site '+
'from working. There may be a way for you to disable this feature. '+
'Please see your internet provider account settings, or try '+
'using the HTTPS version of this site.'
));
document.body.insertBefore(el, document.body.firstChild);
}
</script>
I'm suprised no one has put this as answer yet. The real solution is:
USE HTTPS!
This is the only way to stop ISPs (or anyone else) from inspecting all your traffic, snooping on your visitors, and modifying your website in flight.
With the advent of Let's Encrypt, getting a certificate is now free and easy. There's really no reason not to use HTTPS in this day and age.
You should also use a combination of redirects and HSTS to keep all of your users on HTTPS.
You provider might have enabled a Bytemobile Unison feature called "clientless personalization". Try accessing the fixed URL http://1.2.3.50/ups/ - if it's configured, you will end up on a page which will offer you to disable all feature you don't like. Including Javascript injection.
Good luck!
Alex.
If you're writing you own websites, adding a header worked for me:
PHP:
Header("Cache-Control: no-transform");
C#:
Response.Cache.SetNoTransforms();
VB.Net:
Response.Cache.SetNoTransforms()
Be sure to use it before any data has been sent to the browser.
I found a trick. Just add:
<!--<![-->
After:
<html>
More information (in German):
http://www.programmierer-forum.de/bmi-speedmanager-und-co-deaktivieren-als-webmaster-t292182.htm#3889392
BMI js it's not only on Vodafone. Verginmedia UK and T-Mobile UK also gives you this extra feature enabled as default and for free. ;-)
In T-mobile it's called "Mobile Broadband Accelerator"
You can Visit:
http://accelerator.t-mobile.co.uk
or
http://1.2.3.50/
to configure it.
In case the above doesn't apply to you or for some reason it's not an option
you could potentially set-up your local proxy (Polipo w/wo Tor)
There is also a Firefox addon called "blocksite"
or as more drastic approach reset tcp connection to 1.2.3.0/24:80 on your firewall.
But unfortunately that wouldn't fix the damage.
Funny enough T-mobile and Verginmedia mobile/broadband support is not aware about this feature! (2011.10.11)
PHP: Header("Cache-Control: no-transform"); Thanks!
I'm glad I found this page.
That Injector script was messing up my php page source code making me think I made an error in my php coding when viewing the page source. Even though the script was blocked with firefox NoScript add on. It was still messing up my code.
Well, after that irritating dilemma, I wanted to get rid of it completely and not just block it with adblock or noscript firefox add ons or just on my php page.
STOP http:// 1.2.3.4 Completely in Firefox: Get the add on: Modify
Headers.
Go to the modify header add on options... now on the Header Tab.
Select Action: Choose ADD.
For Header Name type in: cache-control
For Header Value type in: no-transform
For Comment type in: Block 1.2.3.4
Click add... Then click Start.
The 1.2.3.4 script will not be injected into any more pages! yeah!
I no longer see 1.2.3.4 being blocked by NoScript. cause it's not there. yeah.
But I will still add: PHP: Header("Cache-Control: no-transform"); to my php pages.
If you are getting it on a site that you own or are developing, then you can simply override the function by setting it to null. This is what worked for me just fine.
bmi_SafeAddOnload = null;
As for getting it on other sites you visit, then you could probably open the devtools console and just enter that into there and wipe it out if a page is taking a long time to load. Haven't yet tested that though.
Ok nothing working to me. Then i replace image url every second because when my DOM updates, the problem is here again. Other solution is only use background style auto include in pages. Nothing is clean.
setInterval(function(){ imageUpdate(); }, 1000);
function imageUpdate() {
console.log('######imageUpdate');
var image = document.querySelectorAll("img");
for (var num = 0; num < image.length; num++) {
if (stringBeginWith(image[num].src, "http://1.1.1.1/bmi/***yourfoldershere***")) {
var str=image[num].src;
var res=str.replace("http://1.1.1.1/bmi/***yourfoldershere***", "");
image[num].src = res;
console.log("replace"+str+" by "+res);
/*
other solution is to push img src in data-src and push after dom loading all your data-src in your img src
var data-str=image[num].data-src;
image[num].src = data-str;
*/
}
}
}
function stringEndsWith(string, suffix) {
return string.indexOf(suffix, string.length - suffix.length) !== -1
}
function stringBeginWith(string, prefix) {
return string.indexOf(prefix, prefix.length-string.length) !== -1
}
An effective solution that I found was to edit your hosts file (/etc/hosts on Unix/Linux type systems, C:\Windows\System32\drivers\etc on Windows) to have:
null 1.2.3.4
Which effectively maps all requests to 1.2.3.4 to null. Tested with my Crazy Johns (owned by Vofafone) mobile broadband. If your provider uses a different IP address for the injected script, just change it to that IP.
Header("Cache-Control: no-transform");
use the above php code in your each php file and you will get rid of 1.2.3.4 code injection.
That's all.
I too was suffering from same problem, now it is rectified. Give a try.
I added to /etc/hosts
1.2.3.4 localhost
Seems to have fixed it.
I have built an iPhone webapp using PHP. The main (and only) page includes the apple-mobile-web-app-capable and apple-touch-fullscreen meta tags so that it can run fullscreen once added to the homescreen. However, it seems every time I launch the app from the homescreen, the cache version of the page is used instead of refreshing the page (and of course, I need the page to be updated on startup, and cannot use Ajax here - need to dynamically authenticate the user with SSO phpCAS). I did not use any manifest file and tried adding meta tags about cache without success. Does anybody know how to fix this?
Thanks
What meta tags have you tried?
<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
should tell Safari not to cache, but I have not tried them.
You could use javascript to load your "real" startup page from the cached page using any of the standard techniques to make the URL unique, such as adding a random number.
That might even work for the main startup page, but I doubt it. Worth a try, though.
I suggest the cached page load a new page only if it is on the springboard:
UNTESTED suggestion:
window.onload = function () {
if (navigator.standalone) {
document.location.href = 'http://your.com/whatever.php?randomjunk=1234') }
}
so if the page is in the browser it can give instructions on saving to the home screen and if it is run from the home screen it will load the real page.
I know when you include a manifest file the main page is cached automatically, but I didn't think it happened when just using ...web-app-capable. Have you tried using a cache manifest file and listing your page under "Network:" to explicitly exclude it from this method of caching? If it isn't this it must be to do with the header and the meta information there.