CA Security Suite harmful to jQuery

Today I had the somewhat tedious task of debugging a client’s site that uses jQuery for a variety of dynamic UI features, including extensive use of AJAX, which simply refused to function while running in a browser on a computer that had CA Internet Security Suite (CAISS) running, specifically with its browser protection features enabled.

Basically, by way of some trial and error through the settings, I discovered that if I left the CAISS pop-up blocker enabled, a lot of the javascript simply stopped in its tracks. In particular, I noticed that using any  jQuery effects with timers (e.g. $().toggle(500)) or AJAX requests that had timeouts set would fail. By using Firefox coupled with the Firebug plugin (Firebug is AMAZING, thank you Joe Hewitt et. al.), I was able to ascertain the following interesting clues:

• The CAISS popup blocker works by injecting a javascript file load into every HTML page the browser receives, and serves that page from a local webserver that runs on your local computer on a high port.
• This javascript file, xpopup.js, does a number of cute things, but most noticeably, it wraps the browsers setTimeout and setInterval and intercepts any code calls to these two functions.
• The wrapper’s job is essentially to disable window.open() before allowing any code passed to setTimeout or setInterval to execute. I suppose this is because a lot of sites attempt to circumvent popup blockers by placing timers on their popups.

Well, normally, I suppose this is a fine strategy and shouldn’t interfere with my client’s code as it doesn’t open any new windows. So, the wrapper should just execute the code, right? Unfortunately, no. The wrapper is busted and appears to balk at executing any code passed to it that contains newlines. I suppose CA assumed that no one would actually think to call setInterval with a multiline function right? Anyway, yes, jQuery does a lot of this.

After attempting to get my code to somehow play nice with the offending code, I found that it wasn’t possible. What was trivial, however, was simply disabling the blocker’s wrapper with a few lines of javascript:

$('document').ready(function() {
  if(window._orig_windowSetTimeout !== undefined)
    window.setTimeout = _orig_windowSetTimeout;
  if(window._orig_windowSetInterval !== undefined)
    window.setInterval = _orig_windowSetInterval;
});

So not only was the blocker buggy, it’s trivial to circumvent anyway. Nice work there CA.

No related posts.