Injecting Javascript before page loads

[ghost]

How would I inject this javascript: alert('INJECTED') into a website being served? Also, can I intercept AJAX/Http requests from the website through the proxy?

Injecting Javascript using response middleware will inject the script for ALL the sites proxied through, right?

[nfriedly]

Yep, take a look at https://github.com/nfriedly/node-unblocker/blob/websockets/lib/client-scripts.js

I had to add that to catch websocket connections and force them to go through the proxy, and I have todo's for XMLHTTPRequest and fetch.

Everything in this section gets wrapped in an IIFE and injected right after the <head> tag:

node-unblocker/lib/client-scripts.js

Lines 15 to 45 in 7c44200

	/* eslint env: browser */
	console.log("begin unblocker client scripts");
	var _WebSocket = WebSocket;
	var host = location.host;
	var isSecure = location.protocol === "https";
	var prefix = "PREFIX";
	// ws:// or wss:// then at least one char for location,
	// then either the end or a path
	reWsUrl = /ws(s?):\/\/([^\/]+)($|\/.*)/;
	window.WebSocket = function(url, protocols) {
	var parsedUrl = url.match(reWsUrl);
	if (parsedUrl) {
	var wsSecure = parsedUrl[1];
	// force downgrade if wss:// is called on insecure page
	// (in case the proxy only supports http)
	var wsProto = isSecure ? "ws" + wsSecure + "://" : "ws://";
	var wsHost = parsedUrl[2];
	var wsPath = parsedUrl[3];
	if (wsHost === host) {
	// let the server figure out the path
	// todo: get the remote host and fix this
	return new _WebSocket(wsProto + wsHost + wsPath, protocols);
	}
	// prefix the websocket with the proxy server
	return new _WebSocket(
	wsProto + host + prefix + "http" + wsSecure + "://" + wsHost + wsPath
	);
	}
	// fallback in case the regex failed
	return new _WebSocket(url, protocols);
	};

Note that websockets always require a complete url (including the domain), which would bypass the proxy without this, but XMLHttpRequest and fetch allow for relative URLs which would go to the proxy and just work (sometimes).

[ghost]

Is it possible to add scripts as a configuration option? Would I put the function I want to inject into the response middleware as a string or something?

[nfriedly]

Yeah, that's fine. I'll probably make some changes to it, but not tonight.

…

On Wed, Apr 15, 2020, 5:09 PM Noah Gerard ***@***.***> wrote: Interesting. Would you mind if I made a PR request for adding scripts to this list through the code? Maybe something that could be added as a configuration option? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#138 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAA4CIBHASLIQAZUUPB2OU3RMYO7HANCNFSM4MIFA62A> .