[squid-users] Inject a banner on a couple of sites
Eliezer Croitoru
eliezer at ngtech.co.il
Fri Feb 5 20:46:01 UTC 2016
On 05/02/2016 22:15, Alex Rousskov wrote:
> On 02/05/2016 02:58 AM, Travel Factory S.r.l. wrote:
>
>> >I need to inject some javascript to show some warnings to my users when
>> >they access a couple of external web sites.
>> >
>> >Is it possible to use squid for this, perhaps together with an icap server?
> As Eliezer has answered already, yes, this is possible with ICAP or
> eCAP. Eliezer answer focused on security implications that are probably
> irrelevant to you (since you are the one doing the injection).
And if I may add that maybe not only for this post the information might
be irrelevant but also for many of the squid users\admins.
I was really too unclear about why I am mentioning the video so...
The reason for that is that the implementation which explained in the
video contains very basic helpful information on one way (injecting the
JS before the closing </body> tag) that the JS can be injected into the
page.
There are couple other ways such as injecting any form of <script> or
<link> tags after the <head> tag of the html page.
If the html is not huge or complex or that the link is not too slow it
would be better to implement the injection in another way then "in
transit" or "in pass-thru" but do it in couple steps.
- validate\find size and basic object mime type(not a must)
- download the whole html response
- validate that the content can be injected(maybe even add some debug
for special cases that you will be interested investigating)
- find the right spot to inject and inject(concatenating the two ends of
the page strings)
- Send to the client the injected response
And I must admit that I have seen more then one use of some variation of
the above method being used to provide some protection on information on
html pages, the latest I have seen is CloudFlare "mailto" and "href" JS
replacement scripts which mask the real email or link address from
"non-smart" robots that scan the net for attack victims.
All The Bests,
Eliezer Croitoru
More information about the squid-users
mailing list