document the tragedy that is tmweb...

2020-04-23 17:04:01 -07:00 · 2020-04-23 17:04:01 -07:00 · c9692a8fc5
commit c9692a8fc5
parent d3f0eeb66b
1 changed files with 10 additions and 2 deletions
--- a/index.js
+++ b/index.js
@ -41,8 +41,16 @@ async function modifyBody(pageContentTextPromise, originalResponse) {
        `<div id="pagecontent">
          <!--edge side include via cf worker-->
          ${await pageContentResponse.text()}
-          <!--invisible image to establish tm cookie-->
+          <!--invisible image to establish tm cookie. Note that troopmaster redirects this https to
-          <img src="https://tmweb.troopmaster.com/mysite/${TMSITENAME}" height="1" width="1" style="opacity:0" >
+              /Website/Home, then redirects again, explicitly to http. Since Troopmaste also
              doesn't respect CORS, our only way to establish a cookie for login is with this image
              tag that eventually will try to fetch an http resource, but we can't tell the browser
              here to avoid redirects (we don't want the "image", only the cookie). as if that's not
              enough, javascript on /Website/Home actually checks for http and does a
              **CLIENT SIDE REDIRECT BACK TO HTTPS**, resulting in a wild flash that we just
              avoid with a simple 302 (first in this worker, then back as a checkbox on the
              CloudFlare dashboard. Seriously, people...I don't know whether to laugh or cry -->
          <img src="https://tmweb.troopmaster.com/mysite/${TMSITENAME}?Home" height="1" width="1" style="opacity:0" >
          <!--end invisible image to establish tm cookie-->
          <!--End edge side include via cf worker-->
         </div>`);