从Bigcommerce中的浏览器内存中删除注入的分析库?

时间:2014-04-24 13:41:19

标签: javascript bigcommerce

我们如何从内存中删除此脚本注入系统并清除功能?

简报)最近,Bigcommerce的渎职者以“监控”为幌子创建了一个分析注入器(JS)。它被锁定在一个全局变量中。未经任何OP的同意,他们已将其推向所有50,000个面向前方的商店。这将放入2个JS库并设置(普通代码)触发器,以便跟踪将数据投入其共享第三方分析托架的客户,行为和存储计划。问题在于,虽然他们运行代码,但他们没有权利在他们的领域之外的数千个域中放入像这样的第三方库。有没有人有关于如何杀死这个+从内存中删除的想法?这对他们来说是否合法?

1)注入器位于HTMLhead.html面板中的共享全局%%GLOBAL_AdditionalScriptTags%%中,这意味着它不可访问。 AdditionalScriptTags也是动态的,这意味着它根据所请求的页面加载不同的JS助手。由于这个原因,删除变量是不行的。

2)注入器使用各种DSL变量PHP端来构建其设置。当我浏览作为客户登录我们的商店时,这是<head>中的样子。这是为2个单独的库放置2行,我将在下面定义(注意某些标记隐藏为1234)

(function(){
    window.analytics||(window.analytics=[]),window.analytics.methods=["debug","identify","track","trackLink","trackForm","trackClick","trackSubmit","page","pageview","ab","alias","ready","group","on","once","off","initialize"],window.analytics.factory=function(a){return function(){var b=Array.prototype.slice.call(arguments);return b.unshift(a),window.analytics.push(b),window.analytics}};for(var i=0;i<window.analytics.methods.length;i++){var method=window.analytics.methods[i];window.analytics[method]=window.analytics.factory(method)}window.analytics.load=function(){var a=document.createElement("script");a.type="text/javascript",a.async=!0,a.src="http://cdn2.bigcommerce.com/r6cb05f0157ab6c6a38c325c12cfb4eb064cc3d6f/app/assets/js/analytics.min.js";var b=document.getElementsByTagName("script")[0];b.parentNode.insertBefore(a,b)},window.analytics.SNIPPET_VERSION="2.0.8",window.analytics.load();

    // uncomment the following line to turn analytics.js debugging on
    // shows verbose events and other useful information
    // analytics.debug();

    var storeId = '123456',
        userId = '921';

    // initialize with Fornax and Segment.io
    var providers = {
        Fornax: {
            host: 'https://analytics.bigcommerce.com',
            cdn: 'http://cdn2.bigcommerce.com/r6cb05f0157ab6c6a38c325c12cfb4eb064cc3d6f/app/assets/js/fornax.min.js',
            defaultEventProperties: {
                storeId: storeId
            }
        },
        'Segment.io': {
            apiKey: '1sbkkbifdq'
        }
    };

    var fornaxEnabled = false;
    var segmentIOEnabled = false;
    var isStorefront = true;

    if (!fornaxEnabled) {
        delete providers.Fornax;
    }

    if (!segmentIOEnabled || isStorefront) {
        delete providers['Segment.io'];
    }

    analytics.initialize(providers);


    // identify this user
    analytics.identify(
        userId || null,
        {"name":"Test Dude","email":"test@test.com","storeHash":"123456","storeId":123456,"namespace":"bc.customers","storeCountry":"United States","experiments":{"shopping.checkout.cart_to_paid":"legacy_ui","search.storefront.backend":"mysql"},"storefront_session_id":"6b546880d5c34eec4194b5825145ad60d312bdfe"}
    );
})();

3)在<head>中找到输出库作为2个引用,如果您拥有/演示BC商店,则看起来是不可触摸的:

<script type="text/javascript" async="" src="http://cdn2.bigcommerce.com/r6cb05f0157ab6c6a38c325c12cfb4eb064cc3d6f/app/assets/js/fornax.min.js"></script>
<script type="text/javascript" async="" src="http://cdn2.bigcommerce.com/r6cb05f0157ab6c6a38c325c12cfb4eb064cc3d6f/app/assets/js/analytics.min.js"></script>

我们如何打破注射器和这些跟踪器并阻止它们加载?有没有办法从记忆中删除他们的功能?在这里代表成千上万的OP和segment.io发言,我们都以此为耻。

2 个答案:

答案 0 :(得分:2)

根据我链接的问题,至少从第3步中删除脚本,这就是你应该做的:

var xhr = new XMLHttpRequest,
    content,
    doc,
    scripts;

xhr.open( "GET", document.URL, false );
xhr.send(null);
content = xhr.responseText;

doc = document.implementation.createHTMLDocument(""+(document.title || ""));

doc.open();
doc.write(content);
doc.close();


scripts = doc.getElementsByTagName("script");
//Modify scripts as you please
[].forEach.call( scripts, function( script ) {
    if(script.getAttribute("src") == "http://cdn2.bigcommerce.com/r6cb05f0157ab6c6a38c325c12cfb4eb064cc3d6f/app/assets/js/fornax.min.js"
       || script.getAttribute("src") == "http://cdn2.bigcommerce.com/r6cb05f0157ab6c6a38c325c12cfb4eb064cc3d6f/app/assets/js/analytics.min.js") {

        script.removeAttribute("src");
    }
});

//Doing this will activate all the modified scripts and the "old page" will be gone as the document is replaced
document.replaceChild( document.importNode(doc.documentElement, true), document.documentElement);

您必须确保这是第一个运行的东西,否则其他脚本可以执行。

答案 1 :(得分:2)

我也一直在攻击这个,我找到了一些能够很好地禁用大部分/全部功能的东西。

在此之前:

%%GLOBAL_AdditionalScriptTags%%

使用此代码:

<script type="text/javascript">
        window.bcanalytics = function () {};
</script>

所以你最终会得到这样的东西:

%%GLOBAL_AdditionalScriptTags%%
<script type="text/javascript">
        window.bcanalytics = function () {};
</script>

问题第3部分中的<script>代码仍会加载,因为在第一个未注释的<script>代码之前,这些代码始终是预先填写的,但大多数(如果不是全部)分析功能都会中断,包括外部调用,甚至fornax.js都不会加载。希望这会有所帮助。

相关问题
最新问题