On Sat, 15 Aug 2020 11:28:24 +0200, Deloptes wrote:

> It is not an injection. The server can not inject anything in clients
> HTML unless there is something in the HTML that would pull the
> "injection" and this is most likely the JavaScript code.
>
Disagree. A server extension can do almost anything it wants to an HTML
page before it is sent including, but not limited to, fiddling with CSS
settings and adding Javascript, PHP, links and text to the page the
server is about to send.

Try reading the manual for one of the web servers: Apache, Ngnx, etc. Pay
attention to their possible extensions. You may be surprised at what's
possible. And, while you're at it, take a look at what PHP and Javascript
can do if run server-side.

Since all this can be done in the server, you need to know what the page
looked like before it was selected for transmission in order to know if
it has been modified by the server.

I run the Apache HTML server to serve reference material, etc on my LAN.

> Statements like yours confused me in the beginning. AFAIK the Web is
> still request/response based, so something is doing the request and
> getting the response on your client PC.
>
Yes, but you're assuming on zero evidence that a web page as sent is
identical to what the HTML server read from disk.

While that's true for most personal websites, it isn't the case for pages
sent by internet search engines, online shops, banks and Wikipedia (their
periodic appeals for donations are certainly not part of the page as
stored in the data centre). Pages sent by these sites are built or
modified on demand by code running in the web server or in an application
process that the web server calls to build the page.

> I guess it would be a piece of code inside the browser that
> is requesting the information from the server and displaying
> notification if you have opted in.

No sir. A browser ONLY displays information contained in the page it was
sent by the HTML server. If the page contains HTML tags that reference
external items such as images and videos, these are read and displayed
where they appear in the page. If the server has injected links to
adverts these are also fetched and displayed: the browser doesn't know
what such a link points to, only whether it can be displayed or not.

This is exactly the same process the browser uses to display pictures and
videos that the page's author wanted to show you: all are referenced by
HTML tags in the page body.

Of course this assumes you're not running an ad blocker: all these do it
to recognise advertiser URLs in a page and prevent them from being
accessed or displayed.


--
Martin    | martin at
Gregorie  | gregorie dot org

--- SoupGate-Win32 v1.05