Closed crocodele closed 9 years ago
You could pass a beforeWrite in the options and return an empty string if you're on a https page and trying to write an http script. https://github.com/krux/postscribe/blob/master/postscribe.js#L24
Using beforeWrite
feels a little hacky as it would lead to regexing the string for HTTP sources (scripts, imgs, iframes, ...) and removing them or replacing them with something else. There are so many ways to either miss or break something when regexing HTML strings.
I'm currently playing with the token handlers in handleScriptToken
and buildChunk
, leaving out tokens from insecure sources. Perhaps this could be added as an option if it works reliably and passes all tests?
I'd like it if we added token to the callback signature of beforeWrite, so it's easier to make these sorts of decisions by client programmers
Fixed by #89
Scenario:
Due to script B being loaded over http, modern browsers emit errors like:
The problem is only Firefox is able to recover from this scenario, provided Postscribe is called with an
error
handler. The other browsers I've tested (Chrome, IE9-11) won't finish writing the rest of script A's contents, and nothing is written to the page on subsequent Postscribe calls either. Only Firefox calls a provideddone
handler.Chrome also gives another error message: "Bad script nesting or script finished twice", suggesting the success/failure load handlers for script A and script B are called in an unexpected order.
IE fails with error "SCRIPT16388: Operation aborted" on line 881 (
el.setAttribute(name, value);
).What can we do to make Postscribe fail gracefully in a situation like this?
(Sorry for lack of fiddle - I can't seem to find a fiddle service with SSL.)