I've recently started using a 3G mobile broadband usb stick. It's from T-Mobile, a UK mobile mmunications pany. All seemed well, until I tried to test a site which I've been developing locally on by uploading it to my live server.
When I look at the code of my live site, I can see that 2 things strange are happening:
A script is being inserted into the head of my documents specifically:
<script src=".js" language="javascript"></script>Is there something I can put in my code to prevent script insertion?
Normally my css is included in my page like:
<link href="style.css" rel="stylesheet" type="text/css" />
however now when I look in my source, the css has been inserted directly into the page between script tags like:
<style type="text/css" style="display:none">div.calendar{color:#000;font-family:Verdana,Geneva,Arial,Helvetica,sans-serif;-moz-box-shadow:0px.....
This is happening for some javascript files also.
What is going on?
I've recently started using a 3G mobile broadband usb stick. It's from T-Mobile, a UK mobile mmunications pany. All seemed well, until I tried to test a site which I've been developing locally on by uploading it to my live server.
When I look at the code of my live site, I can see that 2 things strange are happening:
A script is being inserted into the head of my documents specifically:
<script src="http://1.2.3.8/bmi-int-js/bmi.js" language="javascript"></script>Is there something I can put in my code to prevent script insertion?
Normally my css is included in my page like:
<link href="style.css" rel="stylesheet" type="text/css" />
however now when I look in my source, the css has been inserted directly into the page between script tags like:
<style type="text/css" style="display:none">div.calendar{color:#000;font-family:Verdana,Geneva,Arial,Helvetica,sans-serif;-moz-box-shadow:0px.....
This is happening for some javascript files also.
What is going on?
Share Improve this question edited May 30, 2012 at 14:40 Martijn Pieters 1.1m321 gold badges4.2k silver badges3.4k bronze badges asked Sep 26, 2010 at 20:08 MazatecMazatec 11.6k23 gold badges74 silver badges108 bronze badges 1- Please see my answer on stackoverflow./questions/4113268/… – pawciobiel Commented Oct 11, 2011 at 18:56
4 Answers
Reset to default 11The modifications you're seeing aren't actually present in your site's markup. I've visited your site and can verify this. What's happening is, T-Mobile is trying to "optimize" any site visited using your wireless stick, and doing a bad job of it. This guy's reporting the same problem:
It turns out that T-Mobile (and Vodafone UK) think it is appropriate to insert their own Javascript into each page which I visit, which pipes all images through a proxy to degrade their quality. However, due to an improperly terminated newline, this script cannot be parsed by Firefox or Opera in conjunction with any XHTML 1.1 or XML documents.
Here's the first few lines of your head, as I see it:
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>The Smile Zone | Home</title>
<link rel="stylesheet" type="text/css" href="manager/templates/smiletemplate/css/style.css" />
<link type="text/css" rel="stylesheet" href="http://www.jotform./css/styles/form.css?v3"/>
<link href="manager/templates/smiletemplate/css/calendarview.css" rel="stylesheet" type="text/css" />
I don't know if you can override this behavior of your wireless service, but you can rest assured that other visitors to your site aren't having the same issues.
In T-mobile it's called "Mobile Broadband Accelerator" You can Visit: http://accelerator.t-mobile.co.uk or http://1.2.3.50/ to disable/configure it. Also please have a look at Stop mobile network proxy from injecting JavaScript
If you load the website using SSL or browse using a VPN (or Tor) then your ISP won't be able to see the data to modify it. This doesn't necessarily help your users, though.
Is there something I can put in my code to prevent script insertion?
If you set the Content-Security-Policy HTTP header for your website, you'll be able to stop the injected script from being able to load in modern browsers.
See "html5rocks: An Introduction to Content Security Policy" to get started. However, with such a policy you'll have to be careful not to deny resources that your own website requires, e.g. Google fonts, CDNs, etc. and that can be time-consuming to get right.
Example, the following HTTP header will only allow modern browsers to fetch resources from your website's own domain, thus preventing the external BMI script from being fetched:
Content-Security-Policy: default-src 'self';