4

I've started to notice this error on my Chrome dev tools. It appears after every http request.

Resource interpreted as Script but transferred with MIME type text/html: "http://www.superfish.com/ws/sf_main.jsp?dlsource=diigo&userId=153ec8d45ab00bb0221c814e5d659bee"

I logged on to Superfish.com and I've not used any of their service to my knowledge.

What is this notice/error exactly and how do I fix/get rid of it?

Hass
  • 1,628
  • 1
  • 18
  • 31
  • Duplicate: http://stackoverflow.com/questions/5349939/resource-interpreted-as-script-but-transferred-with-mime-type-text-html – Alexander Pavlov Jun 25 '13 at 09:36
  • @AlexanderPavlov Thanks but I'm not loading any jQuery's – Hass Jun 25 '13 at 10:37
  • Whatever `http://www.superfish.com/ws/sf_main.jsp?dlsource=diigo&userId=153ec8d45ab00bb0221c814e5d659bee` is, it is transferred with the content-type of `text/html`, not `application/javascript` or something, as it should – Alexander Pavlov Jun 25 '13 at 11:17
  • 1
    The question is what the heck is this superfish thing? It wants to load on a simple localhost page without any fancy scripts loaded. It may be one of the extensions. – István Ujj-Mészáros Sep 08 '13 at 19:04

3 Answers3

5

Superfish is adware, commonly bundled with existing Chrome extensions. You should look through your list of extensions and check whether there is any suspicious-looking extension.

Find and remove Superfish

  1. Locate your Chrome profile directory. The default locations are listed at User Data Directory on chromium.org.
  2. Go to the Default\Extensions subdirectory of your user profile (if you're using multiple Chrome profiles on your computer, "Default" might be something else).
  3. Search for "superfish", and you will quickly find a file that contains this phrase.
  4. Look at the path (e.g. C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcheapnmfbmcccnbjhhkmleoiljgpmkl\js\sf-inject.js) and copy that 32-character phrase.
  5. Go to the extensions page in your Chrome browser (chrome://extensions/).
  6. Search for the extension with the given ID, and remove it.

How to identify bad extensions

Now you've removed it, you should take precautions to not get such extensions again. Fortunately, there are some indicators that you can use to spot such extensions:

  • They require the "Access your data on all websites" permission.
    Most extensions don't need this permission, be suspicious if you see it.
  • They are relatively popular (a few thousand users at minimum).
  • They are used for entertainment. In particular, if the extension "enhances" Facebook, you can almost be sure that it contains some form of malware.
  • Their description look more like an advert than a neutral description of features.

If you know a bit about code, I recommend to install my Chrome extension source viewer for reviewing the source code of Chrome extensions before installing it.

Note that the non-existence of adverts is not a guarantee for adware-free extensions. If the extension requests lots of permissions and it is owned by a poor individual, then it has a high likelihood of being compromised (I was offered 10k $ per month for a popular extension with a few hunderd thousand users. I resisted the offer, but I can imagine that many others do not).

To extension authors

If you are contacted by Superfish (or any other ad agency), reject the offer. Bundling adware without the user's consent is forbidden according to the Single Purpose policy.

An extension must have a single purpose that is narrow and easy-to-understand. Do not create an extension that requires users to accept bundles of unrelated functionality, such as an email notifier and a news headline aggregator. If two pieces of functionality are clearly separate, they should be put into two different extensions, and users should have the ability to install and uninstall them separately. For example, functionality that displays product ratings and reviews, but also injects ads into web pages, should not be bundled into a single extension. Similarly, toolbars that provide a broad array of functionality or entry points into services are better delivered as separate extensions, so that users can select the services they want.

Rob W
  • 341,306
  • 83
  • 791
  • 678
0

I had the same problem - spent hours debugging and adding these to .htaccess but didnt work:

AddType application/x-javascript .js
AddType text/css .css 
AddType text/javascript .js
AddType text/css .css
AddType font/ttf .ttf
AddType font/eot .eot
AddType font/otf .otf
AddType application/woff .woff
AddType font/woff .woff
AddType font/opentype .woff
AddType application/x-font-woff .woff
AddType application/vnd.ms-fontobject .eot
AddDefaultCharset UTF-8
Options -Indexes

When I finally found the issue, I realized that while localhost work, the server did not accept the path 

\js\prettyPhoto\js\jquery.prettyPhoto.js

instead of 

\js\prettyphoto\js\jquery.prettyPhoto.js

The CAPITAL p was making all those errors!

George
  • 6,006
  • 6
  • 48
  • 68
0

Do you use the Better History Manager extension? The error disappeared when I was disabled it.

István Ujj-Mészáros
  • 3,228
  • 1
  • 27
  • 46