mirror of
https://github.com/myronblair/infra
synced 2026-06-30 17:50:10 -05:00
docs: Cloudflare Rocket Loader rules — inline handlers blocked, use addEventListener + data-cfasync=false
This commit is contained in:
@@ -18,3 +18,31 @@ cp agent/config.json /opt/jarvis-agent/config.json
|
||||
systemctl enable jarvis-agent
|
||||
systemctl start jarvis-agent
|
||||
```
|
||||
|
||||
## Cloudflare Rocket Loader — IMPORTANT
|
||||
|
||||
JARVIS (and all sites) sit behind Cloudflare with **Rocket Loader enabled**.
|
||||
Rocket Loader does two things that break JavaScript login forms:
|
||||
|
||||
1. Changes `<script>` tag `type` to a fake value, deferring execution.
|
||||
2. Injects `if (!window.__cfRLUnblockHandlers) return false;` into **every**
|
||||
`onclick=`, `onkeydown=`, and other inline HTML event attributes,
|
||||
blocking them until Rocket Loader finishes loading.
|
||||
|
||||
### Rules for any page with JavaScript that must run immediately:
|
||||
|
||||
- Add `data-cfasync="false"` to ALL `<script>` tags.
|
||||
- **Never use inline event handler attributes** (`onclick=`, `onkeydown=`, etc.)
|
||||
on HTML elements — Rocket Loader will block them.
|
||||
- Attach all event listeners via `addEventListener()` in JavaScript.
|
||||
- Use `XMLHttpRequest` instead of `fetch()` for auth calls (more compatible).
|
||||
- Put scripts **after** their target DOM elements (end of body), not in `<head>`,
|
||||
so the elements exist when the script runs without needing DOMContentLoaded.
|
||||
|
||||
### Current login implementation (jarvis repo: public_html/login.html)
|
||||
|
||||
Standalone `/login.html` page handles all auth. `index.html` redirects to
|
||||
`/login.html` if no `jarvis_token` in sessionStorage.
|
||||
- Script is at end of body, after elements, with `data-cfasync="false"`
|
||||
- All handlers attached via `addEventListener` — no inline attributes
|
||||
- Uses XHR (not fetch) to POST to `/api/auth`
|
||||
|
||||
Reference in New Issue
Block a user