infra/ai-memory/feedback_cloudflare_rocket_loader.md

name, description, metadata

name	description	metadata
feedback-cloudflare-rocket-loader	Cloudflare Rocket Loader breaks inline JS event handlers and defers scripts — how to avoid and fix	node_type type originSessionId memory feedback dfc59a24-a903-4f91-8c76-331af763d3e6

Cloudflare Rocket Loader is enabled on all orbishosting.com sites and causes two distinct problems:

1. Script deferral — changes <script> tag type to a fake value, preventing execution until Rocket Loader finishes loading. Breaks any JS that must run on page load.

2. Inline handler blocking — injects if (!window.__cfRLUnblockHandlers) return false; into every onclick=, onkeydown=, etc. HTML attribute. Even if the function is defined, the click is blocked.

Why: These are Cloudflare "performance optimizations" that can't be disabled without Cloudflare dashboard access (no API keys stored).

How to apply: For any page with JavaScript that must work:

• Add Cache-Control: no-transform, no-store response header — this tells Cloudflare not to modify the response. Use ini_set('session.cache_limiter', '') before session_start() or the session headers will override it.
• Never use inline event handler attributes (onclick=, onkeydown=). Always use addEventListener().
• The main JARVIS app (jarvis.orbishosting.com) is now served via index.php which adds this header automatically.

Current solution (2026-06-01):

• Login: login.php (pure PHP form POST, no JS) with Cache-Control: no-transform
• Entry point: index.php checks PHP session, redirects to login.php if not auth'd
• App served with token injected as var __jarvisToken global + CSS forcing loginScreen hidden
• See project-jarvis for full architecture