Issue with executing userscripts inside documents that require TrustedTypes

[ameshkov]

See the linked issue: https://github.com/Rob--W/dont-track-me-google/issues/53

[ameshkov]

@dnmTX

Slimjet Version 39.0.2.0 (based on Chromium 111.0.5563.41) (Official Build) (64-bit)

Can it be reproduced with Chrome?

[dnmTX]

Can it be reproduced with Chrome?

I unfortunatelly have only Slimjet installed,no other browsers are present here. Trying to keep it tight and clean on my end 😉

P.S. Just in case mask your User Agent with the latest Mozilla one when try to reproduce it.

[temis2k16]

Issue is reproduced with AG and with Tampermokey in Chrome. Can't be reproduced in Firefox. Maybe some security updates in latest chromium could cause the problem and require a workaround on AG side ?

[dnmTX]

The script actually needs to have "TrustedScript assignment",either implemented from the @AdguardTeam or developer(based on my research). I believe that we don't even have to wait for the app update as this is in one of the AG extensions/userscripts.
Actually the "TrustedScript" feature was implemented in v.83 of Chrome. I don't have an idea why it became so aggressive lately.

[ameshkov]

We did some research on this issue. It is indeed caused by the fact that an iframe on that page requires trusted types. The question was why there's no error with Tampermonkey while there's an error with AdGuard or Violentmonkey.

The answer is that Tampermonkey removes require-trusted-types-for directive from CSP headers:

Proof

The question is whether we need to do anything about that or this kind of issues should be resolved by userscripts authors. Should we actually go the same way as Tampermonkey and modify CSP? To be honest, I am reluctant about that and would better avoid doing anything, especially if the only problem is just one userscript where this can be solved rather easily.

Userscripts authors can resolve this using code like that:

var s = document.createElement('script');
if (getScriptCspNonce()) {
    s.setAttribute('nonce', scriptCspNonce);
}

const createPolicy = () => {
    const defaultPolicy = {
        createScript: (input) => {
            return input;
        },
    };

    if (window.trustedTypes && window.trustedTypes.createPolicy) {
        return window.trustedTypes.createPolicy('somePolicy', defaultPolicy);
    }

    return defaultPolicy;
};

const somePolicy = createPolicy();
const scriptContent = somePolicy.createScript('console.log(\'test\')');
s.textContent = scriptContent;

[dnmTX]

PING @Rob--W ☝️

[zubrRB]

The developer of the user script of the Mouseover Popup Image Viewer a few days ago made it so that his script began to work, for example, in the comments of Disqus. https://github.com/tophf/mpiv/commits/master

[zubrRB]

The developer of the userscript MPIV @tophf mentioned above is also one of the developers of the Violentmonkey.