help-librejs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-librejs] Should LibreJS be allowed to change contents of http

From: Tony França
Subject: Re: [Help-librejs] Should LibreJS be allowed to change contents of http requests?
Date: Wed, 29 Oct 2014 00:19:31 -0200
I'm not sure I understand everything you said, but what about AJAX calls that return JSON responses? 
Shouldn't librejs leave those responses unchanged?

In the tests I'm doing, librejs is changing those responses as well - which of course break the application.

From where I'm looking this seems like a deal breaker :(

Cheers
Tony

On Tue, Oct 21, 2014 at 11:33 AM, Loic J. Duros <address@hidden> wrote:
Tony França <address@hidden> writes:

> Please look at those two screenshots of firefox opening the same static file
> with and without librejs enabled.
>
> They are rendered in the same way in both cases, but when you look under the
> hood, in the network tab, you can see that with LibreJS enabled, the response
> it "got from the server" misteriously gets a <html>, a <head> and a <body>
> elements - which just don't exist on the original file.
>
> This may not be a problem if you're opening the files on the browser like I
> did on the screenshots, but it breaks when you load those files inside ajax
> calls and use them as AngularJS templates.
>
> I think librejs shouldn't be allowed to change contents like that.

Hi,

Thought I'd bring a bit of background on this issue.

LibreJS intercepts http responses, parses the contents of the response
and then analyzes the scripts that are directly embedded in the HTML,
those that are external, as well as the js attributes (events etc) in
HTML elements. It then modifies the DOM and serializes it again. That's
probably why you see the structure of the HTML has been modified
(corrected, really) like this.

The reason we opted for this method in the first place (prior to Nik
taking over) is because there is no way to prevent each script
(especially those that are in element attributes) from running unless we
catch the response before it gets parsed/rendered by
Firefox/IceCat/Abrowser. There's a way to prevent the execution of both
external and embedded scripts (using beforescriptexecute) without
intercepting the response as we do, but there is no way to prevent
attribute scripts from executing unless we parse/modify the contents of
the responses.

I think it would be possible to keep the unadulterated response and
only replace the elements modified by LibreJS, but it would take a fair
amount of work.

Loic

reply via email to
[Prev in Thread] Current Thread [Next in Thread]