You do not watch ads during development? Disorder

Survived. I had approximately the same reaction when an advertisement crawled out on top of a local project on localhost . So here it is:


So it was high time. What am I allowing myself? I use the browser, but I don’t watch ads everywhere.

Apparently some kind of chrome plugin was hacked. It happens that you need to find which one, write to the developers and cut it down.

There is a picture from advertising, let's see in the developer’s tools who loads it. We find some kind of left-handed script with explicit attempts to obfuscate. And he, in turn, is loaded with another. In the end, come to



Google maps? Seriously? No, you still need to look for a problem somewhere closer.

Okay, open maps.google.com/maps-api-v3/api/js/39/10/util.js in a browser.

All OK. We overload it a couple of times and here it is a redirect to r.analytic.press.



I did a mini statistical study. Somewhere once out of 5 I praise a redirect.
Maybe this provider messes up? Let's try to connect to the mobile Internet. Not playable, although there have been more than 20 attempts.

And if you connect a mobile device to a local network. Reproduced. So we discard the option with viruses on the computer and obviously we need to look somewhere in the local network or at the provider.

Let's try to google it. Hm, I'm not alone. And all of us are united by the provider and the Siberian region.

Still, I want to make sure that there are no internal network problems. We cut off everything, we are looking for a device that can be connected directly to the equipment of the provider.

Reproduced!

We are writing a support message. And we get the answer that soon everything will be fixed.

For now, try other urls. Replaces any js scripts over http (logically) that really exist, i.e. 200 response.

It is still very interesting at what point they hacked. Or a device from the provider, which is with me. And it is not so interesting. Or somewhere further. And there are no ideas how to find out.

And what was the problem on the project?

In the project, you must explicitly specify https when loading third-party resources, and not use a relative URL without a scheme <script src="//maps.google.com/...">. This has long been antipattern. Of course, provided that we do not need to support IE 7;)