What are the consequences of executing #JavaScript from cdnjs.cloudflare.com? I don't trust CF in general & try not to connect to them, so then I went to this link instead of the original: https://web.archive.org/web/www.ran.org/wp-content/uploads/2021/03/Banking-on-Climate-Chaos-2021.pdf#page=7 That avoids #Cloudflare. But why did the PDF load?
@resist1984 Archive.org archives the whole website including stylesheets, script files and images. So you load the same JS file from web.archive.org instead of CF.
@resist1984 Actually it's not exactly the same, archive.org seems to make some modifications.
@t0k well it seems there is no viable option. Once I knew the full PDF URL, it's fine because the js doesn't block a direct download (i can load the PDF in a non-js browser). But apparently executing the js is mandatory if you only know the parent URL that contains the pdf link (https://www.ran.org/bankingonclimatechaos2021/)
@resist1984 I just managed to. Again, open the source code of the page, search for 'pdf'. Then right-click on the desired link -> Copy Link Location. Paste the link in the URL bar and enjoy the PDF :)
@t0k when viewing this: view-source:https://www.ran.org/bankingonclimatechaos2021/ searching for pdf only has 3 hits, and none of them are "Banking-on-Climate-Chaos-2021.pdf"
@t0k apparently the CF JS must be executed in order to reveal the URL
@t0k #RAN is trying to be clever. Notice that if you go to last year's report (https://www.ran.org/bankingonclimatechaos2020/) it interrupts with "don't you want the most recent report?" They're imposing CF JS to intercept visits to old docs. It's a shame they use js for that.
@resist1984 Hmm.. true. So yes, seems like the link is loaded or generated by some script. Regarding trackers that site is horrible anyway.
@t0k what's eye-opening for me is that as uMatrix defaults to trusting 1st party javascript (which most users probably accept), but in the case of archive.org all 3rd party js gets repackaged as 1st party. i guess i'll setup uMatrix to refuse all js from archive.org
@resist1984 Yes, that's the point here.
@resist1984 Found a hack (but likely specific to this site):
* Install uBlock origin
* Load that site and wait until the typical fancy animated CF dots appear.
* Use the 'element zapper' of uBlock origin ⚡ to zap the gray background with the dots 🌩️
* Now you see 'DOWNLOAD THE REPORT', click it to get to the site where you can actually download the PDF.
@t0k thanks for the tip. I used to use a "nuke anything" plugin and that sounds similar.
@resist1984 So basically there's no need here for CF. I've seen CF on many sites where I suspected they used it out of pure ignorance. Also I once talked to somebody who works for a company which sells Web Engineering to NGOs including 'Search Engine Optimization'. They basically put Google Analytics on NGO pages. The people that do that work are trained by Google (!) on how to make websites. That opened my eyes too.
@resist1984 Have a look at the website source code of an archived website (in Firefox: Right click -> View Page Source). There you'll see.
The original URL would not give the PDF without running CF JS. Yet archive.org avoids CF JS. Is archive.org simply delivering copies of the CF JS as though it's first-party #javascript?