Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
This is the code Comcast is injecting into its users web traffic.

Above is the code Comcast is injecting into their customers web traffic when they need to display an "important message".

Feel free to read the blog post that goes along with this code.

<script language="JavaScript" type="text/javascript">
// Comcast Cable Communications, LLC Proprietary. Copyright 2012.
// Intended use is to display browser notifications for critical and time sensitive alerts.
var SYS_URL='/e8f6b078-0f35-11de-85c5-efc5ef23aa1f/aupm/notify.do';
// var image_url='http://servicealerts.comcast.net:8080/images/mt';
var image_url='http://xfinity.comcast.net/constantguard/BotAssistance/notice/images';
var headertext1='<strong>Comcast Courtesy Notice</strong>';
var textline1='You have reached 90% of your <b>monthly data usage allowance</b>.';
var textline2='Please sign in for more information and to remove this alert.';
var acknowledgebutton='<a href=\"#\" onClick="document.location.href=\''+SYS_URL+'?dispatch=redirect&redirectName=login&paramName=bmUid\'" title="Sign in to acknowledge" style="color: #FFFFFF;"><img alt="Sign in to acknowledge" src="'+image_url+'/mt_signin.png"/></a>';
var verifybulletin='<a href="http://customer.comcast.com/help-and-support/internet/data-usage-plans-nash/" target="_new">How do I know this message is from Comcast?</a>';
if(self.location==top.location) {
document.write('<style type="text/css">');
document.write('#comcast_content {width: 600px; height:240px; box-shadow: 10px 10px 5px #888; background: #fff; border: 1px solid #454545; position:absolute; top:50px; left:100px; zoom:1; z-index: 9999999; opacity:0.90; filter:alpha(opacity=90);}');
document.write('#comcast_content .header {height: 35px; background:url('+image_url+'/headerbg.gif) repeat-x;}');
document.write('#comcast_content .a {color: #00a3e0;}');
document.write('#comcast_content .logo {float:left;}');
document.write('#comcast_content .content-wrapper {padding-left: 18px; padding-right: 15px; padding-bottom: 12px;}');
document.write('#comcast_content .headerimage { margin-top: 15px;}');
document.write('#comcast_content .header1 {margin: 18px 0 0 0; color: #C00000; padding: 3px; font: 23px/24px bold Arial, Helvetica, sans-serif;}');
document.write('#comcast_content .textcontent {margin: 12px 0 0 0; text-align: center; color: #303030; word-spacing: 0px; font: 14px/15px Arial, Helvetica, sans-serif; line-height: 1.20;}');
document.write('#comcast_content .acknowledge {padding-top:6px; text-align: center;}');
document.write('#comcast_content .how-do-i {float:left; position:absolute; bottom:20px; left:18px; margin: 12px 0 0 0; font: 13px/14px bold Arial, Helvetica, sans-serif; text-align: bottom;}');
document.write('#comcast_content .comcast-wrapper {float:right; position:absolute; bottom:15px; right:18px; padding-top:0px; text-align: right;}');
document.write('</style>');
document.write('<div class="main-wrapper" id="comcast_content">');
document.write('<div class="header" onmousedown="javascript:dragStart(event,\'comcast_content\')">');
document.write('<img src="'+image_url+'/xfinity-logo.gif" alt="Xfinity" class="logo"/>');
document.write('</div>');
document.write('<div class="content-wrapper">');
document.write('<p class="header1">');
document.write(headertext1);
document.write('</p>');
document.write('<p class="textcontent">');
document.write(textline1);
document.write('</p>');
document.write('<p class="textcontent">');
document.write(textline2);
document.write('</p>');
document.write('<p class="how-do-i">');
document.write(verifybulletin);
document.write('</p>');
document.write('<div class="acknowledge">');
document.write(acknowledgebutton);
document.write('</div>');
document.write('<div class="comcast-wrapper">');
document.write('<img src="'+image_url+'/message-by-comcast.gif" alt="Message by Comcast"/>');
document.write('</div>');
document.write('</div>');
document.write('</div>');
}
// Function to Determine browser and version. Copyright 2001 by Mike Hall.
// See http://www.brainjar.com for terms of use.
function Browser() {
var ua, s, i;
this.isIE = false;
this.isNS = false;
this.version = null;
ua = navigator.userAgent;
s = "MSIE";
if ((i = ua.indexOf(s)) >= 1) {
this.isIE = true; this.version = parseFloat(ua.substr(i + s.length)); return;
}
s = "Netscape6/";
if ((i = ua.indexOf(s)) >= 0) {
this.isNS = true; this.version = parseFloat(ua.substr(i + s.length)); return;
}
s = "Gecko";
if ((i = ua.indexOf(s)) >= 0) {
this.isNS = true; this.version = 6.1; return;
}
}
var browser1 = new Browser();
var dragObj = new Object();
dragObj.zIndex = 99999;
function dragStart(event, id) {
var el;
var x, y;
if (id) dragObj.elNode = document.getElementById(id);
else {
if (browser1.isIE) dragObj.elNode = window.event.srcElement;
if (browser1.isNS) dragObj.elNode = event.target;
if (dragObj.elNode.nodeType == 3) dragObj.elNode = dragObj.elNode.parentNode;
}
if (browser1.isIE) {
x = window.event.clientX + document.documentElement.scrollLeft + document.body.scrollLeft;
y = window.event.clientY + document.documentElement.scrollTop + document.body.scrollTop;
}
if (browser1.isNS) {
x = event.clientX + window.scrollX;
y = event.clientY + window.scrollY;
}
dragObj.cursorStartX = x;
dragObj.cursorStartY = y;
dragObj.elStartLeft = parseInt(dragObj.elNode.style.left, 10);
dragObj.elStartTop = parseInt(dragObj.elNode.style.top, 10);
if (isNaN(dragObj.elStartLeft)) dragObj.elStartLeft = 100;
if (isNaN(dragObj.elStartTop)) dragObj.elStartTop = 50;
if (browser1.isIE) {
document.attachEvent("onmousemove", dragGo);
document.attachEvent("onmouseup", dragStop);
window.event.cancelBubble = true;
window.event.returnValue = false; }
if (browser1.isNS) {
document.addEventListener("mousemove", dragGo, true);
document.addEventListener("mouseup", dragStop, true);
event.preventDefault();
}
}
// End Function
function dragGo(event) {
var x, y;
if (browser1.isIE) {
x = window.event.clientX + document.documentElement.scrollLeft + document.body.scrollLeft;
y = window.event.clientY + document.documentElement.scrollTop + document.body.scrollTop;
}
if (browser1.isNS) {
x = event.clientX + window.scrollX; y = event.clientY + window.scrollY;
}
dragObj.elNode.style.left = (dragObj.elStartLeft + x - dragObj.cursorStartX) + "px";
dragObj.elNode.style.top = (dragObj.elStartTop + y - dragObj.cursorStartY) + "px";
if (browser1.isIE) { window.event.cancelBubble = true; window.event.returnValue = false; }
if (browser1.isNS) event.preventDefault(); }
function dragStop(event) {
if (browser1.isIE) {
document.detachEvent("onmousemove", dragGo);
document.detachEvent("onmouseup", dragStop);
}
if (browser1.isNS) {
document.removeEventListener("mousemove", dragGo, true);
document.removeEventListener("mouseup", dragStop, true);
}
}
var xmlhttp=false; /*@cc_on @*/ /*@if (@_jscript_version >= 5) try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); } catch (E) { xmlhttp = false; } } @end @*/ if (!xmlhttp && typeof XMLHttpRequest!='undefined') { try { xmlhttp = new XMLHttpRequest(); } catch (e) { xmlhttp=false; } } if (!xmlhttp && window.createRequest) { try { xmlhttp = window.createRequest(); } catch (e) { xmlhttp=false; } }
function acknowledge() { sendAck(); document.getElementById('comcast_content').style.display="none"; }
function sendAck(){ xmlhttp.open("GET", SYS_URL+'?dispatch=ackBulletin',true); xmlhttp.send(null) }
var comcastCheck=1;
var comcastTimer;
function checkBulletin(){
if(comcastCheck==0) { return; }
xmlhttp.open("GET", SYS_URL+'?dispatch=checkBulletin',true);
xmlhttp.onreadystatechange = function() {
if (xmlhttp.readyState == 4) {
if(xmlhttp.responseText.indexOf('43a1028c-7d11-11de-b687-1f15c5ad6a13')==-1){
document.getElementById('comcast_content').style.display="none";
comcastCheck=1;
}
comcastTimer=setTimeout("checkBulletin()",5000);
};
};
xmlhttp.send(null);
}
checkBulletin();
</script>
@mculp
Copy link

mculp commented Apr 4, 2013

Charter injects a frame into the top of your pages when your bill is past due.

@j1n6
Copy link

j1n6 commented Apr 4, 2013

🍺 reminds me 90s primary school coding challenge.

@robertmain
Copy link

robertmain commented Jan 28, 2015

Why is everyone so surprised that their JS is shit? They suck at literally everything else, why not JS also?

@frank-weindel
Copy link

frank-weindel commented Apr 18, 2015

Here is some new code they are injecting for copyright violations: https://gist.github.com/frank-weindel/d4e6accfdadc44652f43

@AdamWhiteHat
Copy link

AdamWhiteHat commented Jun 28, 2016

You can experience this by purchasing some internet time through one of their wifi hotspots also. You will get slide-ins that advertise internet packages to you.

After some google-fu, I learned they use a 3rd party technology to do this, its called FrontPorch. Here is a detailed document that explains what this technology is capable of:
https://net.educause.edu/Elements/Attachments/rfi/vendors/frontporch.pdf
http://www.frontporch.com

Enjoy

@pcgeek86
Copy link

pcgeek86 commented Dec 3, 2016

As an Xfinity customer, I'm legitimately concerned about the security flaws that this exposes. No one should be injecting advertisements for a service that I already pay for, and exposing my system to security risks. Reckless.

@hydranix
Copy link

hydranix commented Dec 29, 2016

I'm not even joking, but in the injection I just saw (Dec 29th 2016)

<script language="JavaScript" type="text/javascript">
// Comcast Cable Communications, LLC Propriertary, Copyright (C) 2012-2013 Comcast
// Intended use of this message is to display critical and time sensitive notifications to customers.

Note the spelling of "Propriertary".

@SpaceOctopus
Copy link

SpaceOctopus commented Mar 30, 2017

This is ridiculous. I can confirm it happens, as I have now received such notifications at least 3 times. I'm curious as to whether or not I can report this behavior to the FTC. The more reports they get about stuff like this, the more likely they are to do something about it. They must be doing something illegal here. Even if it's just using GPL code without permission.
I really hate Comcast as it is already, but when they are basically the monopoly where you live (no other provider), this is not just your run of the mill security flaw. Internet is a utility, and everyone needs it. To simply claim we can just stop paying Comcast is a gross oversimplification of the problem & completely ignores the fact this is a huge security flaw, not to mention the fact I think they're not allowed to hijack or inject your connection? Where the hell is consumer protection? Why is this allowed?

It's bad enough that they are imposing a bandwidth cap at all, especially when they are obviously lying about their reasons, and lying to customers by saying nonsense about how less than 1% of users use more than 1TB in a month, and that those people cause any sort of problem whatsoever, or that it should cost more or less depending on how much you use. That is retarded. Anyone with half a brain knows this is just a grab for more money. It doesn't cost them a dime extra to let the supposed 1% use more than that 1TB, not to mention the fact that 1% isn't even enough of a percentage to be worth doing anything about. Take into consideration the fact that these users are technically just using the bandwidth that isn't used by those people using less than 100gb in a month.... anyway, I feel like everyone is just allowing comcast to bend them over & taking it like they have to. Report them to the FTC. Do something. Just because data caps don't affect you, doesn't mean they are acceptable, or reasonable. You're screwing the rest of us. It is extremely unreasonable to charge overage fees the way they do. They can charge you up to $200 for overage. Per month. If you want truly unlimited internet, like you've been paying for FOR YEARS, and signed a contract for, you have to pay an additional $50 a month, on top of the amount you already pay, which is bullshit considering the fact you're paying for speeds you don't even get 1/8th of on a good day (even with a badass, brand new, super fast router & modem you pay for yourself)..... :(

@hydranix LOL at propriertary.

@r3wt
Copy link

r3wt commented Jun 21, 2017

@SpaceOctopus this is legal unfortunately. I would suggest writing letters to your representative(s). If enough people make enough noise about this, eventually a bill could be brought to make this practice illegal.

@victoriafrench
Copy link

victoriafrench commented Dec 16, 2017

@r3wt how is this legal? what law makes it legal? When a customer is coming to my site and they intercept the code that I own the copyright to and modify it, they are illegally making a derivative work of my code. I don't see how anyone can claim this is legal. I am waiting for a response from our attorneys, we are looking for any cases that legalize this, but right now I don't see how anyone can claim this is legal.

@farzher
Copy link

farzher commented Mar 5, 2019

still getting this message in 2019. doesn't seem like a very "critical time sensitive" notification.
how is this legal !?!? i thought for sure i had a virus.
http://bsonspec.org/spec.html is the page i was visiting

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment