docs: Cloudflare Rocket Loader rules — inline handlers blocked, use addEventListener + data-cfasync=false

This commit is contained in:
2026-06-01 09:12:50 +00:00
parent 2a45dac693
commit 2dcd8e9975
+28
View File
@@ -18,3 +18,31 @@ cp agent/config.json /opt/jarvis-agent/config.json
systemctl enable jarvis-agent
systemctl start jarvis-agent
```
## Cloudflare Rocket Loader — IMPORTANT
JARVIS (and all sites) sit behind Cloudflare with **Rocket Loader enabled**.
Rocket Loader does two things that break JavaScript login forms:
1. Changes `<script>` tag `type` to a fake value, deferring execution.
2. Injects `if (!window.__cfRLUnblockHandlers) return false;` into **every**
`onclick=`, `onkeydown=`, and other inline HTML event attributes,
blocking them until Rocket Loader finishes loading.
### Rules for any page with JavaScript that must run immediately:
- Add `data-cfasync="false"` to ALL `<script>` tags.
- **Never use inline event handler attributes** (`onclick=`, `onkeydown=`, etc.)
on HTML elements — Rocket Loader will block them.
- Attach all event listeners via `addEventListener()` in JavaScript.
- Use `XMLHttpRequest` instead of `fetch()` for auth calls (more compatible).
- Put scripts **after** their target DOM elements (end of body), not in `<head>`,
so the elements exist when the script runs without needing DOMContentLoaded.
### Current login implementation (jarvis repo: public_html/login.html)
Standalone `/login.html` page handles all auth. `index.html` redirects to
`/login.html` if no `jarvis_token` in sessionStorage.
- Script is at end of body, after elements, with `data-cfasync="false"`
- All handlers attached via `addEventListener` — no inline attributes
- Uses XHR (not fetch) to POST to `/api/auth`