15

Some pages aren't correctly received on mobile phones (many ones in France) : JavaScript script elements are inlined.

Instead of having 

 <script src="static/jquery-2.1.3.min.js"></script>

I have

 <script> ... content of the whole jQuery script ... </script>

As the Content Security Policy header I set forbids inline scripts, modern browsers block the execution of the script.

Is there a way to deal with that other than using HTTPS ? Maybe some way to specify the page shouldn't be rewritten by third parties ?

Notes :

  • the CSP header isn't enough a hint for the third-party doing the transformation
  • the Cache-Control:no-transform header is ignored as well
  • any answer involving the addition of an inline script isn't an answer as the goal is to remove all inline scripts for security
  • the problem isn't related to the injection of supplementary scripts (that wouldn't break my site as the browser is instructed not to execute them) but to the inlining of the existing scripts
  • the problem isn't specific to any operator : I'm looking for a (reasonnably) general solution
PeeHaa
  • 71,436
  • 58
  • 190
  • 262
Denys Séguret
  • 372,613
  • 87
  • 782
  • 758
  • Can you show us what you're talking about? This seems a bit vague. Also, you haven't told us what server side language or framework you're using to deliver this content. Are you sure it's a mobile carrier? If so, what makes you sure? What tests did you run to determine this? – George Stocker Feb 19 '15 at 17:43
  • @GeorgeStocker I look at [this page](http://dystroy.org/miaou/login) from various devices. Most of them receive the normal version (and it doesn't seem to be related to user-agent or such things you can easily mock). – Denys Séguret Feb 19 '15 at 17:43
  • Opening that page with desktop Chrome in emulation mode certainly doesn't show any scripts inlined, so it certainly sounds like a proxy/ISP issue. – ssube Feb 19 '15 at 17:49
  • http://stackoverflow.com/questions/4113268/how-to-stop-javascript-injection-from-vodafone-proxy – random Feb 19 '15 at 17:50
  • Do they do this over HTTPS as well? If so, how? – tadman Feb 19 '15 at 18:17
  • @tadman I don't think so. So I guess the solution will be for me to switch my whole site to HTTPS... – Denys Séguret Feb 19 '15 at 18:27
  • It's the only reasonable way to deal with jerks. If they're going to mangle your content, you need to switch to a transport they can't touch. – tadman Feb 19 '15 at 18:32
  • @GeorgeStocker I think I made it clear how it's a different problem now. Note that my question has an answer that wouldn't be an answer to the other question (as it doesn't prevent the injection of other scripts). – Denys Séguret Feb 20 '15 at 07:55
  • 1
    Why avoid using HTTPS? It's the classical scenario that HTTPS solves. MITM. Especially since if they inline your scripts, you can't know for sure they're not injecting maliciousness in them too. – Madara's Ghost Feb 20 '15 at 08:58

2 Answers2

6

Not the most elegant solution, but you can always try to trick the ISP into thinking it is not a js resource by changing the file extension (which would probably induce a change in the mime type in the header you send).

Serve the file as jquery.java or some other extension. Again, not the most elegant solution, but as tadman says in the comments, sometimes it isn't easy to deal with jerks.

Denys Séguret
  • 372,613
  • 87
  • 782
  • 758
rlemon
  • 17,518
  • 14
  • 92
  • 123
0

You asked for solutions that avoid HTTPS, but that's what you should do. Use HTTPS for all of your content and stop letting these "helpful" MITMs mangle it.

Get yourself a free TLS certificate (starting in September 2015).

The currently accepted solution is just playing a game of cat and mouse. If you care about security (which you must to be serving a CSP header) you need to stop this kind of attack, not try to hide it.

anthonyryan1
  • 4,867
  • 2
  • 34
  • 27