Stop mobile network proxy from entering JavaScript

Question

Stop mobile network proxy from entering JavaScript

I use a mobile network internet connection and the source code is rewritten when it presents the site to the end user.

My site looks great in the local host, but when I browse the site from a remote server over a mobile network connection, the site looks bad.

Checking the source code, I found that part of the JavaScript code is being injected into my pages, which disables some CSS that makes the site look bad.

I don't want image compression or bandwidth compression instead of my well-designed CSS.

How can I prevent or stop a mobile network provider (in this case Vodafone) from a proxy injecting JavaScript into my source code?

+43

javascript proxy

Masud Rahman Nov 06 '10 at 13:25

source share

13 answers

ppumkin · Answer 1 · 2011-06-03 16:29

You can use this on your pages. It still compresses and puts everything in a row, but it does not break scripts like jquery because it will avoid everything based on W3C standards

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

On your server you can install the cahce control

 "Cache-Control: no-transform"

This will stop ALL modifications and present your site as it is!

Reference documents here

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.5

http://stuartroebuck.blogspot.com/2010/08/official-way-to-bypassing-data.html

Website demonstrates JavaScript error on iPad / iPhone under 3G but not under WiFi

bobince · Answer 2 · 2010-11-06 14:32

You, of course, are not the first. Unfortunately, many wireless providers have used this rude and undesirable compression approach. It comes from Bytemobile .

What it does is proxy recompress all the images you have selected by default (which significantly degrades the image quality). Then it roughly injects a script into your document, which adds the ability to load the correct image for each re-compressed image. Unfortunately, since the script is a horribly written JS style in the style of the 1990s, it holds the entire space of your namespace, captures your event handlers, and is very likely to ruin your own scripts.

I do not know how to stop the injection itself without using HTTPS. But what you can do is detect or sabotage the script. For example, if you added a script near the end of the document (between the inclusion of 1.2.3.4 script and the script's built-in trigger) to associate it with the loader:

 <script type="text/javascript"> bmi_SafeAddOnload= function() {}; </script>

then the script will not run, so your events and the DOM will be left alone. On the other hand, the original script would still leave your namespace garbage, and all the markup problems that it causes would still be present. In addition, the user will be stuck with re-compressed images, unable to receive originals.

You can try just telling the user:

 <script type="text/javascript"> if ('bmi_SafeAddOnload' in window) { var el= document.createElement('div'); el.style.border= 'dashed red 2px'; el.appendChild(document.createTextNode( 'Warning. Your wireless ISP is using an image recompression system '+ 'that will make pictures look worse and which may stop this site '+ 'from working. There may be a way for you to disable this feature. '+ 'Please see your internet provider account settings, or try '+ 'using the HTTPS version of this site.' )); document.body.insertBefore(el, document.body.firstChild); } </script>

Alexander Janssen · Answer 3 · 2011-09-23 19:11

Your ISP may have enabled Bytemobile Unison called Client Personalization. Try to access the fixed URL http://1.2.3.50/ups/ - if it is configured, you will be taken to a page that offers you to disable all the function you like. Including Javascript injection.

Good luck Alex

Russell Harkins · Answer 4 · 2013-03-07 20:30

If you write your own websites, adding a title for me:

 PHP: Header("Cache-Control: no-transform"); C#: Response.Cache.SetNoTransforms(); VB.Net: Response.Cache.SetNoTransforms()

Be sure to use it before any data is sent to the browser.

Cam Jackson · Answer 5 · 2015-12-26 22:04

I am surprised that no one has put this as an answer. The real solution:

USE HTTPS!

This is the only way to prevent Internet service providers (or anyone else) from checking all your traffic, tracking visitors and changing your site in flight.

With the advent of Let encrypt, getting a certificate is now free and easy. There really is no reason not to use HTTPS on this day and age.

You should also use a combination of redirects and HSTS to get all your users on HTTPS.

mgutt · Answer 6 · 2013-03-19 11:45

I found a trick. Just add:

 <!--<![-->

After:

 <html>

Additional Information (in German):

http://www.programmierer-forum.de/bmi-speedmanager-und-co-deaktivieren-als-webmaster-t292182.htm#3889392

pawciobiel · Answer 7 · 2011-10-11 18:38

BMI is not only at Vodafone. Verginmedia UK and T-Mobile UK also provide you with this additional feature by default and for free. ;-) In T-mobile it is called "Mobile Broadband Accelerator", you can visit: http://accelerator.t-mobile.co.uk or http://1.2.3.50/ to configure it.

If the above does not apply to you or for some reason is not an option, you can configure a local proxy (Polipo w / wo Tor) There is also a Firefox add-on called a “block site”, or as a more decisive approach reset tcp to 1.2.3.0/24 : 80 on your firewall. But, unfortunately, this will not eliminate the damage.

It's funny that T-mobile and Verginmedia's mobile / broadband support are unaware of this feature! (2011.10.11)

Bob · Answer 8 · 2013-05-21 23:03

PHP: header ("Cache-Control: no-transform"); Thank you I'm glad I found this page.

This injector script messed up my php page source code, making me think that I made a mistake in my php encoding while viewing the page source. Despite the fact that the script was blocked by the addition of firefox NoScript. It still messed up my code. Well, after this annoying dilemma, I wanted to completely get rid of it, and not just block it by adding adblock or noscript firefox or just on my php page.

STOP http://1.2.3.4 Completely in Firefox : get the add: Change Headers .
Go to the change header add on options ... now on the header tab.
Choose action: select ADD.
Header Header Type: Cache Management
For heading Value type in: no-transform
For the type of comments in: Block 1.2.3.4
Click Add ... Then click Start.

1.2.3.4 the script will not be entered on other pages! Yes!

I no longer see 1.2.3.4 being blocked by NoScript. because it is not. Yes.

But I still add: PHP: Header ("Cache-Control: no-transform"); to my php pages.

jaredwilli · Answer 9 · 2012-11-06 18:06

If you get it on a site that you have or are developing, you can simply override the function by setting it to null. This is what worked just fine for me.

 bmi_SafeAddOnload = null;

As for getting it on other sites that you visit, then you can probably open the devtools console and just enter them there and destroy it if the page takes a long time to load. However, this has not yet been verified.

David Thomas · Answer 10 · 2015-03-03 01:09

I added to /etc/hosts

 1.2.3.4 localhost

He seems to have fixed it.

Falkenj80 · Answer 11 · 2015-06-16 14:44

Nothing is working for me. Then I replace the image URL every second, because when my DOM updates, the problem is here again. Another solution is to use only the auto background style in the pages. Nothing is clean.

 setInterval(function(){ imageUpdate(); }, 1000); function imageUpdate() { console.log('######imageUpdate'); var image = document.querySelectorAll("img"); for (var num = 0; num < image.length; num++) { if (stringBeginWith(image[num].src, "http://1.1.1.1/bmi/***yourfoldershere***")) { var str=image[num].src; var res=str.replace("http://1.1.1.1/bmi/***yourfoldershere***", ""); image[num].src = res; console.log("replace"+str+" by "+res); /* other solution is to push img src in data-src and push after dom loading all your data-src in your img src var data-str=image[num].data-src; image[num].src = data-str; */ } } } function stringEndsWith(string, suffix) { return string.indexOf(suffix, string.length - suffix.length) !== -1 } function stringBeginWith(string, prefix) { return string.indexOf(prefix, prefix.length-string.length) !== -1 }

wyqydsyq · Answer 12 · 2013-04-04 09:26

The effective solution I found was to change the hosts file ( /etc/hosts on systems like Unix / Linux, C:\Windows\System32\drivers\etc on Windows) so that:

 null 1.2.3.4

Which effectively matches all requests from 1.2.3.4 to null . Tested with my Crazy Johns (owned by Vofafone) mobile broadband. If your ISP uses a different IP address for the entered script, just change it to that IP.

Mahesh Sanatan · Answer 13 · 2014-12-19 17:02

Title ("Cache-Control: no-transform");

use the above php code in every php file and you will get rid of 1.2.3.4 code injection.

It's all.

I also suffered from the same problem, now it is fixed. Give it a try.

Stop mobile network proxy from entering JavaScript

More articles: