Closed crocodele closed 9 years ago
jnewman
commented
9 years ago You could pass a beforeWrite in the options and return an empty string if you're on a https page and trying to write an http script. https://github.com/krux/postscribe/blob/master/postscribe.js#L24
crocodele
commented
9 years ago Using beforeWrite feels a little hacky as it would lead to regexing the string for HTTP sources (scripts, imgs, iframes, ...) and removing them or replacing them with something else. There are so many ways to either miss or break something when regexing HTML strings.
I'm currently playing with the token handlers in handleScriptToken and buildChunk, leaving out tokens from insecure sources. Perhaps this could be added as an option if it works reliably and passes all tests?
jnewman
commented
9 years ago I'd like it if we added token to the callback signature of beforeWrite, so it's easier to make these sorts of decisions by client programmers
jnewman
commented
9 years ago Fixed by #89
Scenario:
Due to script B being loaded over http, modern browsers emit errors like:
The problem is only Firefox is able to recover from this scenario, provided Postscribe is called with an
errorhandler. The other browsers I've tested (Chrome, IE9-11) won't finish writing the rest of script A's contents, and nothing is written to the page on subsequent Postscribe calls either. Only Firefox calls a provideddonehandler.Chrome also gives another error message: "Bad script nesting or script finished twice", suggesting the success/failure load handlers for script A and script B are called in an unexpected order.
IE fails with error "SCRIPT16388: Operation aborted" on line 881 (
el.setAttribute(name, value);).What can we do to make Postscribe fail gracefully in a situation like this?
(Sorry for lack of fiddle - I can't seem to find a fiddle service with SSL.)