Stop mobile network proxy from injecting JavaScript

Question

I am using a mobile network based internet connection and the source code is being rewritten when they present the site to the end user.

In the localhost my website

Answer 1

PHP: Header("Cache-Control: no-transform"); Thanks! I'm glad I found this page.

That Injector script was messing up my php page source code making me think I made an error in my php coding when viewing the page source. Even though the script was blocked with firefox NoScript add on. It was still messing up my code. Well, after that irritating dilemma, I wanted to get rid of it completely and not just block it with adblock or noscript firefox add ons or just on my php page.

1. STOP http:// 1.2.3.4 Completely in Firefox: Get the add on: Modify Headers.
2. Go to the modify header add on options... now on the Header Tab.
3. Select Action: Choose ADD.
4. For Header Name type in: cache-control
5. For Header Value type in: no-transform
6. For Comment type in: Block 1.2.3.4
7. Click add... Then click Start.

The 1.2.3.4 script will not be injected into any more pages! yeah!

I no longer see 1.2.3.4 being blocked by NoScript. cause it's not there. yeah.

But I will still add: PHP: Header("Cache-Control: no-transform"); to my php pages.

Answer 2

I'm suprised no one has put this as answer yet. The real solution is:

USE HTTPS!

This is the only way to stop ISPs (or anyone else) from inspecting all your traffic, snooping on your visitors, and modifying your website in flight.

With the advent of Let's Encrypt, getting a certificate is now free and easy. There's really no reason not to use HTTPS in this day and age.

You should also use a combination of redirects and HSTS to keep all of your users on HTTPS.

Answer 3

I added to /etc/hosts

1.2.3.4 localhost

Seems to have fixed it.

Answer 4

You provider might have enabled a Bytemobile Unison feature called "clientless personalization". Try accessing the fixed URL http://1.2.3.50/ups/ - if it's configured, you will end up on a page which will offer you to disable all feature you don't like. Including Javascript injection.

Good luck! Alex.

Answer 5

BMI js it's not only on Vodafone. Verginmedia UK and T-Mobile UK also gives you this extra feature enabled as default and for free. ;-) In T-mobile it's called "Mobile Broadband Accelerator" You can Visit: http://accelerator.t-mobile.co.uk or http://1.2.3.50/ to configure it.

In case the above doesn't apply to you or for some reason it's not an option you could potentially set-up your local proxy (Polipo w/wo Tor) There is also a Firefox addon called "blocksite" or as more drastic approach reset tcp connection to 1.2.3.0/24:80 on your firewall. But unfortunately that wouldn't fix the damage.

Funny enough T-mobile and Verginmedia mobile/broadband support is not aware about this feature! (2011.10.11)

Answer 6

An effective solution that I found was to edit your hosts file (/etc/hosts on Unix/Linux type systems, C:\Windows\System32\drivers\etc on Windows) to have:

null 1.2.3.4

Which effectively maps all requests to 1.2.3.4 to null. Tested with my Crazy Johns (owned by Vofafone) mobile broadband. If your provider uses a different IP address for the injected script, just change it to that IP.