All geek questions in one place

How to check if a script is valid before including it

This may be a stupid question, but I will take risks.

On my site, I include the following script file:

<script src="http://connect.facebook.net/en_US/all.js"></script>

This will usually work fine. However, when I work, we have a firewall that blocks any traffic for facebook.com or facebook.net, because obviously no employee has enough self-control to not allow themselves to play Farmville all day, and not work .

This way, when the script loads, it actually produces a bunch of HTML indicating that the site is blocked. Since this is HTML and invalid Javascript, the browser throws script errors. Notice, I still get HTTP 200, so I cannot catch errors this way.

I agree that this is an extreme case, since only a small percentage of users will try to access my site because of a firewall that blocks Facebook traffic, but I still wonder if there is anything relative I can do to check so that the link returns valid Javascript or perhaps surrounds the loading of the script in a giant try / catch block and correctly handles errors. Any ideas would be greatly appreciated!

UPDATE:

Here are the HTTP headers from the firewall error page. Perhaps I can look at the heading for "content-type", which I suppose will be text / javascript if the content was valid.

 HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Proxy-Connection: Keep-Alive Connection: Keep-Alive Content-Length: 4774
+4
source share
3 answers

Unfortunately, you will not be able to verify that connect.facebook.net is not blocked because it is served from a different Origin than your document.

This means that you cannot use XHR to issue a HEAD request and make sure that the content type is really text/javascript - XHR does not make a request for cross Origin by default, and connect.facebook.net does not support CORS :

 OPTIONS http://connect.facebook.net/en_US/all.js HTTP/1.1 Host: connect.facebook.net Access-Control-Request-Method: GET Access-Control-Request-Headers: Origin, X-Requested-With, Accept HTTP/1.1 501 Not Implemented Server: AkamaiGHost Mime-Version: 1.0 Content-Type: text/html Content-Length: 272 Connection: close

Technically speaking, the filtering / firewall software in question is incorrect in that when it blocks the site, it provides a success status code ( 200 ) when it should provide an error code ( 4xx or 5xx ). If he answered correctly with the error condition, browswer would not parse the response body as a script (thereby causing errors).

+1
source

Here's how to make a reserve:

 <script src="//ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.js"></script> <script>window.jQuery || document.write("<script src='js/libs/jquery-1.6.4.min.js'>\x3C/script>")</script>

In this case, he is trying to download jquery from googleapis.com. If it is blocked or inaccessible, it loads local jQuery.

You can use the same technique. Make a second script to determine if the facebook script file is uploaded. If it is not loaded, do not run any associated script with it.

+1
source

After looking at your editing, you can check the response content type through ajax, and when not adding a script to text/html : use <xhr>.getResponseHeader("Content-Type");

Edit: As josh3736 pointed out, a cross-site request is not allowed through javascript, so you will also need to call an internal resource (written in server language) that acts as a proxy server and will try to get the script by returning its content type (e.g. look at this discussion: php, curl, headers and content-type )

+1
source

Source: https://habr.com/ru/post/1394430/

More articles:


All Articles