In article ,
Martin Gregorie   wrote:

>> It is not an injection. The server can not inject anything in clients
>> HTML unless there is something in the HTML that would pull the
>> "injection" and this is most likely the JavaScript code.

>Disagree. A server extension can do almost anything it wants to an HTML
>page before it is sent including, but not limited to, fiddling with CSS
>settings and adding Javascript, PHP, links and text to the page the
>server is about to send.

Once you're out of the "server" things still aren't safe and solid ...

There's injection into what the server *originally* sent *before* it gets to
the client. Look up the furore around "BT Phorm", part of which involved
BT (as an ISP) injecting profiling and other stuff into pages that had
nothing to do with them.

Some of this shows up when a web developer can't understand why stuff
works for some users, but not others -- and the common feature becomes
an ISP tampering with the data in transit (adding or editing the HTTP
on the fly).

--
--------------------------------------+------------------------------------
Mike Brown: mjb[-at-]signal11.org.uk  |    http://www.signal11.org.uk

--- SoupGate-Win32 v1.05