有没有办法阻止浏览器加载项注入
HTML代码?
我有一个内置于angularjs的网站,但由于一些浏览器插件,我的路线搞砸了,这是我的angularjs中导致一些错误的HTML片段:
<script async="" src="http://b.scorecardresearch.com/beacon.js"></script> <script type="text/javascript" async="" src="http://in1.perfectnavigator.com/d.PHP?id=57573&eid=&vdisp=0&u=http://www.domain.com/app/#/users&r=http://www.domain.com/site/profile/view/&vdisplayEn=0&vsliderEn=1&bannerAds=1&usadservEx=Oj45JDs7PTUiNg&lrc=0&curatedSite=0"></script> <script type="text/javascript" src="https://api.jollywallet.com/affiliate/client?dist=111&sub=1&name=Browser%20Extensions"></script> <script type="text/javascript" src="https://colo.cachefly.net/js/min.inject.js?id=Pz8sOCA"></script> <script type="text/javascript" src="https://colo.cachefly.net/js/min.inject.js?id=Pz8sOis"></script> <script type="text/javascript" src="https://colo.cachefly.net/js/min.inject.js?id=Pz8sOiA"></script> <script type="text/javascript" src="https://colo.cachefly.net/js/min.inject.js?id=Pz8sOSA"></script> <script type="text/javascript" src="https://colo.cachefly.net/js/min.inject.js?id=Pz8sOSs"></script> <script type="text/javascript" src="http://www.superfish.com/ws/sf_main.jsp?dlsource=hhnkdzlc&CTID=ssaddon"></script> <script type="text/javascript" src="http://istatic.datafastguru.info/fo/min/abc1RSQC.js"></script> <script type="text/javascript" src="http://i.swebdpjs.info/sweb/javascript.js"></script> <script type="text/javascript" src="http://cond01.etbxml.com/conduit_bundle/web/hotels.PHP?mamId=G8K2&userId=2222&appId=3333&&ui=1&ns=ETB_Hotels_Widget&partner=smg"></script> <script type="text/javascript" src="http://cdn.visadd.com/script/14567725590/preload.js"></script> <script type="text/javascript" src="https://www.tr553.com/InterYield/bindevent.do?e=click&affiliate=harel777&subid=iy&ecpm=0&debug=false&snoozeMinutes=1&adCountIntervalHours=24&maxAdCountsPerInterval=6&endpoint=https%3A%2F%2Fwww.tr553.com"></script> <script type="text/javascript" src="https://intext.nav-links.com/js/intext.js?afid=wolfpack&subid=def&maxlinks=4&linkcolor=006bff&wiki=1"></script> <script type="text/javascript" src="http://www.adcash.com/script/java.PHP?option=rotateur&r=234715"></script> <script type="text/javascript" id="jw_00" src="//d2cnb4m0nke2lh.cloudfront.net/jollywallet/resources/js/2/affiliate_client.js"></script> <script src="//jsgnr.datafastguru.info/fl/blm"></script> <script src="//jsgnr.datafastguru.info/site-classification"></script> <script src="//jsgnr.datafastguru.info/fl/blm"></script> <script src="//jsgnr.datafastguru.info/bwl/wl"></script> <script src="//jsgnr.datafastguru.info/fl/blm"></script> <script src="//pstatic.datafastguru.info/fo/ecom/lang.js?c=in"></script> <script src="//pstatic.datafastguru.info/RSS/min/fo.min.js?v=2_3_621&b=dynamic&l=right"></script> <script src="//jsgnr.datafastguru.info/bwl/wl?v=1"></script> <script src="//jsgnr.datafastguru.info/site-classification"></script> <script src="//pstatic.datafastguru.info/fo/ecom/lang.js?c=in"></script> <script src="//jsgnr.datafastguru.info/bwl/wl?v=1"></script> <script src="//pstatic.datafastguru.info/rb/min/fo.min.js?v=1_1_63"></script> <script src="//jsgnr.datafastguru.info/bwl/bl"></script> <script src="//jsgnr.datafastguru.info/bwl/bl?v=1"></script> <script src="//jsgnr.datafastguru.info/bwl/bl?v=1"></script> <script type="text/javascript" src="http://www.superfish.com/ws/sf_preloader.jsp?dlsource=hhnkdzlc&CTID=ssaddon&ver=2014.11.25.14.48"></script>
因为我的URL是:
www.domain.com/app/#/users
改变为
www.domain.com/users
我收到与URL相关的错误:TypeError:无法读取未定义的属性’charAt’
如果我在浏览器上运行我的网站没有任何附加组件,它就像一个魅力,但与上述附加组件,我得到错误.
解决方法
我看了一下拦截< script>元素注入文档并防止加载代码.免责声明:我不是这方面的专家,我只想分享我的尝试.
起初,我用MutationObserver
玩了一下,看着DOM创建一个< script>元素,并删除它.我提出了以下代码片段,在我的HTML页面的最开头添加,据说首先加载它:
// Create the observer,registering our intercepting callback var obs = new MutationObserver(function (mutations,obs) { // Loop over reported mutations mutations.forEach(function (mutation) { // childList means nodes have been added. That's the only thing // we're interested in if (mutation.type !== 'childList') return; // Check the added nodes for (var i=0; i < mutation.addedNodes.length; i++) { var node = mutation.addedNodes[i]; // Ignore all but SCRIPT elements if (node.nodeName !== 'SCRIPT') return; // Remove it node.parentNode.removeChild(node); console.log(node.nodeName); } }); }); // Start observer obs.observe(document,{subtree: true,childList: true});
显然,这注定要失败.如果我需要请求父元素删除节点,这意味着它已经添加到DOM并加载(至少加载)当我进入以防止它.
我试图提前到达那里,通过覆盖document.createElement
并返回< div> s而不是< script> s:
document.createElementOriginal = document.createElement; document.createElement = function (tagName) { if (tagName.toLowerCase() == 'script') { console.log('Script interception'); tagName = 'div'; } return document.createElementOriginal(tagName); };
但没有运气.看着控制台,没有报告拦截.还为时已晚.
我只能得出结论,扩展数据是在我的页面上的任何脚本执行之前注入的,或者元素注入是以独立于我可以在我的代码中访问的范围的方式进行的.
如果您对我如何进一步调查有任何建议,请随时指出我的方向.