我有一个使用NW.js构建的HTML5游戏,该游戏向我的网站发出GET请求,以检索静态数据文件file.json,该文件托管在Heroku的www.example.com/file.json上。
我的一个用户可以导航至www.example.com/file.json并正确查看文件,但是当他们打开游戏时,此请求从另一个站点返回HTML。在超过100,000个用户之后,他们是第一个体验此功能的人。
用户获得的HTML响应是这样的:
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=980,user-scalable=yes,maximum-scale=2.0" />
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<title></title>
<link rel="stylesheet" href="/steal-built/production.css" />
<script src="/js/thirdParty/jquery-1.8.3.min.js"></script>
<script src="/gui/js/jquery-utils.js"></script>
<script src="/gui/js/gui-core.js"></script>
<script src="/gui/js/gui-api.js"></script>
<script src="/js/thirdParty/modernizr.custom.js"></script>
<script src="/js/thirdParty/yepnope.1.5.4-min.js"></script>
<script src="/js/thirdParty/cssua.js"></script>
<script src="/js/thirdParty/moment.js"></script>
<!--noUI slider plugin: http://refreshless.com/nouislider/ -->
<script src="/js/thirdParty/jquery.nouislider.min.js"></script>
<!--jquery sort elements plugin: http://james.padolsey.com/javascript/sorting-elements-with-jquery/ -->
<script src="/js/thirdParty/jquery.sortElements.js"></script>
<!-- datepicker plugin: http://amsul.ca/pickadate.js/ -->
<![if gte IE 9]>
<script src="/js/thirdParty/pickadate.min.js"></script>
<![endif]>
<!-- datepicker: legacy for older browsers -->
<!--[if lte IE 8]>
<script src="/js/thirdParty/pickadate.legacy.js"></script>
<![endif]-->
<!-- jQuery plugin for parsing CSV file format: https://code.google.com/p/jquery-csv/ -->
<script src="/js/thirdParty/jquery.csv-0.71.min.js"></script>
<!-- MD5 encryption library -->
<script src="/js/thirdParty/md5.js"></script>
<!--ie polyfill for console.log and related -->
<script src="/js/modemUI/console-polyfill.js"></script>
<script src="/js/thirdParty/dust-full-0.3.0.js"></script>
<script src="/js/thirdParty/dust-helpers-1.1.1.js"></script>
<script src="/js/thirdParty/raphael.js"></script>
<!-- For calculating subnet masks https://github.com/franksrevenge/IPSubnetCalculator -->
<script src="/js/thirdParty/IPSubnetCalculator.js"></script>
</head>
<body>
<!--div that is used to identify if the user's browser is (likely) a mobile device. Will be hidden by css, then examined with js-->
<div id="div-is-smartphone"></div>
<div id="root-view"></div>
<!-- IE6 specific style here in case javascript disabled -->
<!--[if lte IE 6]><style type="text/css">#init-screen {position: absolute; height: 480px;}</style><![endif]-->
<!-- if we have no javascript, hide activity-indicator -->
<noscript><style type="text/css">#init-screen .activity-indicator{display: none}</style></noscript>
<div id="init-screen">
<div class="middle">
<div class="icon"></div>
<div class="title"></div>
<div class="activity-indicator"></div>
<div class="error-message">
<noscript>No javascript / Javascript absent</noscript>
</div>
</div>
<div class="logo"></div>
</div>
<div id="init-log" style="display: none;">
<div class="header">
<span class="close">x</span>
<span class="title">Initialization Log</span>
</div>
<div class="content">
<table></table>
</div>
</div>
<script src="/steal/steal.production.js?steal-built/production.js"></script>
</body>
</html>
同样,也没有机会从我的网站提供此服务。用户会受到恶意软件的影响吗?他们说他们并没有搞乱Windows中的任何配置文件,但是我对此表示怀疑。我检查了他们的请求标头,一切看起来都很正常。