mirror of
https://github.com/myronblair/infra
synced 2026-06-30 17:50:10 -05:00
docs: Cloudflare Rocket Loader rules — inline handlers blocked, use addEventListener + data-cfasync=false
This commit is contained in:
@@ -18,3 +18,31 @@ cp agent/config.json /opt/jarvis-agent/config.json
|
|||||||
systemctl enable jarvis-agent
|
systemctl enable jarvis-agent
|
||||||
systemctl start jarvis-agent
|
systemctl start jarvis-agent
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Cloudflare Rocket Loader — IMPORTANT
|
||||||
|
|
||||||
|
JARVIS (and all sites) sit behind Cloudflare with **Rocket Loader enabled**.
|
||||||
|
Rocket Loader does two things that break JavaScript login forms:
|
||||||
|
|
||||||
|
1. Changes `<script>` tag `type` to a fake value, deferring execution.
|
||||||
|
2. Injects `if (!window.__cfRLUnblockHandlers) return false;` into **every**
|
||||||
|
`onclick=`, `onkeydown=`, and other inline HTML event attributes,
|
||||||
|
blocking them until Rocket Loader finishes loading.
|
||||||
|
|
||||||
|
### Rules for any page with JavaScript that must run immediately:
|
||||||
|
|
||||||
|
- Add `data-cfasync="false"` to ALL `<script>` tags.
|
||||||
|
- **Never use inline event handler attributes** (`onclick=`, `onkeydown=`, etc.)
|
||||||
|
on HTML elements — Rocket Loader will block them.
|
||||||
|
- Attach all event listeners via `addEventListener()` in JavaScript.
|
||||||
|
- Use `XMLHttpRequest` instead of `fetch()` for auth calls (more compatible).
|
||||||
|
- Put scripts **after** their target DOM elements (end of body), not in `<head>`,
|
||||||
|
so the elements exist when the script runs without needing DOMContentLoaded.
|
||||||
|
|
||||||
|
### Current login implementation (jarvis repo: public_html/login.html)
|
||||||
|
|
||||||
|
Standalone `/login.html` page handles all auth. `index.html` redirects to
|
||||||
|
`/login.html` if no `jarvis_token` in sessionStorage.
|
||||||
|
- Script is at end of body, after elements, with `data-cfasync="false"`
|
||||||
|
- All handlers attached via `addEventListener` — no inline attributes
|
||||||
|
- Uses XHR (not fetch) to POST to `/api/auth`
|
||||||
|
|||||||
Reference in New Issue
Block a user