I think is part of the code by @eapl.me@eapl.me that I have based my project on. So try to ask him.

hey @mckinley@twtxt.net !

Perhaps your VPN or an extension is injecting some kind of verification before using the site?

The original development doesn’t use JavaScript at all, and has 2 cookies for session managing, short term for guests and long term for the admin (perhaps that has to be changed with current European regulations, not sure)

@darch@darch.dk you could add HTTPS to your site to avoid external services injecting JS to the HTML. I bought a SSL certificate for my shared hosting, sadly it doesn’t support Let’s Encrypt.

But if an extension is doing that, I think there is not much to do from our side.

@eapl.me@eapl.me are ISPs still injecting code into HTTP in this the year 2023? I remember getting notices that my comcast modem is out of date pushed into websites back a decade ago.

@eapl.me@eapl.me There is HTTPS but it doesn’t seem to be enforced. My browser always connects with TLS if it’s available and the message is present with or without TLS or extensions, even when using cURL. I would notice if my VPN service injected things like this because I disable JavaScript and cookies by default. I think it’s unlikely I’m being MiTMed because the certificate is definitely from Let’s Encrypt. Also, I don’t see the point in MiTMing me just to put a JavaScript challenge on someone’s personal website.

I still think it’s a hosting provider thing. It doesn’t really matter to me, I’m just curious.