Using HTTPS may not be able to solve the problem completely either. A lot of companies, and now apparently ISPs, do a man in the middle certificate and have access to the whole encrypted stream. Companies do it to ensure that their work product isn't being ex-filtrated, ISPs seem to do it for advertising. There are ways to verify your direct connection to a server, but it requires diligence on the part of the browser user.
I was thinking at first that you could generate a hash of the page being send and append it in http headers and then use javascript to hash the DOM and compare it, but I don't think that would work because of add-ins like LastPass that inject javascript that the user wants. Just throwing ideas out there. :) -----Original Message----- From: UXB Internet [mailto:[email protected]] Sent: Tuesday, March 03, 2015 9:23 AM To: cf-talk Subject: RE: (ot) JavaScript detecting foreign scripts >> I agree with you that Comcast should die in a fire, So I'm not crazy then. I have to wonder some times. >> I like Jochem's solution, of which I was unaware, but still >> recommend you use HTTPS. Actually I can also prevent it by switching to a different/newer ad type with a different script but that wasn't the goal for this request. The goal was to collect data on where (the IP) the script was being injected. Stopping it with a technical solution is an arms race. Dennis Powers UXB Internet - A website Design and Hosting Company P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844 W: http://www.uxbinternet.com W: http://www.ctbusinesslist.com > -----Original Message----- > From: Dave Watts [mailto:[email protected]] > Sent: Tuesday, March 3, 2015 8:08 AM > To: cf-talk > Subject: Re: (ot) JavaScript detecting foreign scripts > > > > > Second, if you use TLS (SSL) exclusively, you should be able to > > > prevent this. > > > > I tested for this and yes it does prevent it. However that is not > > actually the point. The point is much bigger than the pennies they > > sole from my websites ad revenue. Maybe I am the only one but to me > > this practice, replacing the content of a webpage with their own > > content, is a heinous affront to the idea of an open Internet. > > > > Maybe I am going off the rails here but isn't this exactly what the > > Net Neutrality fight was all about? Not fast lanes and slow lanes but > > data integrity! > > > > Thanks for the pointer on the JS code I will look into it and take a > > step down off my soapbox. > > I agree with you that Comcast should die in a fire, but it'll take a while for the > FCC to fix that problem I'm sure. In the meantime, rent-seekers gonna rent- > seek, I guess. > > I like Jochem's solution, of which I was unaware, but still recommend you use > HTTPS. > > Dave Watts, CTO, Fig Leaf Software > 1-202-527-9569 > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business > (SDVOSB) on GSA Schedule, and provides the highest caliber vendor- > authorized instruction at our training centers, online, or onsite. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ~~~~~| > Order the Adobe Coldfusion Anthology now! > http://www.amazon.com/Adobe-Coldfusion- > Anthology/dp/1430272155/?tag=houseoffusion > Archive: http://www.houseoffusion.com/groups/cf- > talk/message.cfm/messageid:360185 > Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm > Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360188 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
