From e80704c534e30fe7b843c54f12da31e0c6bd54b6 Mon Sep 17 00:00:00 2001 From: eshmeshek Date: Sat, 16 May 2026 22:14:19 +0300 Subject: [PATCH] fix(1.0.7): disable Trusted Types engine-wide via Blink feature flag MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The 1.0.6 fix (strip require-trusted-types-for from CSP via onHeadersReceived) didn't take effect: cliqz/adblocker calls session.webRequest.onHeadersReceived during enableBlockingInSession, overwriting our hook (Electron permits only one listener per session). Replace with engine-level kill switch: app.commandLine.appendSwitch('disable-blink-features', 'TrustedDOMTypes') Makes the entire Trusted Types runtime feature inert, so require-trusted-types-for CSP becomes a no-op site-wide. Safe in this kiosk/single-user context; only relaxes one security boundary that sites use to harden against XSS via adblocker-style script injection — which is exactly what we need to neutralize for cliqz's anti-anti-adblock scriptlets on YouTube. Co-Authored-By: Claude Opus 4.7 (1M context) --- main.js | 46 +++++++++++++--------------------------------- package.json | 2 +- 2 files changed, 14 insertions(+), 34 deletions(-) diff --git a/main.js b/main.js index e210174..2967a58 100644 --- a/main.js +++ b/main.js @@ -6,6 +6,16 @@ const cheerio = require('cheerio'); const { ElectronBlocker, adsAndTrackingLists } = require('@cliqz/adblocker-electron'); const { autoUpdater } = require('electron-updater'); +// Disable Trusted Types CSP enforcement engine-wide. +// YouTube sends `Content-Security-Policy: require-trusted-types-for 'script'`, +// which blocks the cliqz adblocker's scriptlet injection (it uses plain +// `script.text = ...`) → 52+ console errors and broken anti-adblock neutralizers. +// Stripping the CSP header via webRequest doesn't work — the adblocker's own +// onHeadersReceived hook overwrites ours (Electron allows only one listener +// per session). Disabling the Blink feature is the cleanest fix; safe in a +// kiosk single-user context. +app.commandLine.appendSwitch('disable-blink-features', 'TrustedDOMTypes'); + const CONFIG_PATH = path.join(os.homedir(), '.ESH-Media.json'); const BLOCKER_CACHE_PATH = path.join(os.homedir(), '.ESH-Media-adblock-v3.bin'); const DEFAULT_TRUSTED_DOMAINS = [ @@ -1228,39 +1238,9 @@ app.whenReady().then(async () => { } ); - // Strip Trusted Types directives from CSP for sites that enforce them - // (YouTube, Gmail, etc.). The cliqz adblocker injects inline scriptlets to - // neutralize anti-adblock tricks; those injections use plain script.text - // assignment which TT blocks → "An HTMLScriptElement was directly modified - // and will not be executed" (52+ console errors on YouTube). Without TT - // the adblocker's scripts run and YouTube works normally. - const TT_STRIP_HOSTS = [ - 'youtube.com', 'youtu.be', 'youtubekids.com', - 'google.com', 'gmail.com', 'mail.google.com', - ]; - const stripTrustedTypes = (sess) => { - sess.webRequest.onHeadersReceived( - { urls: ['https://*/*'] }, - (details, callback) => { - let host = ''; - try { host = new URL(details.url).hostname; } catch {} - const match = TT_STRIP_HOSTS.some(d => host === d || host.endsWith('.' + d)); - const headers = details.responseHeaders; - if (!match || !headers) return callback({}); - for (const k of Object.keys(headers)) { - if (/^content-security-policy(-report-only)?$/i.test(k)) { - headers[k] = headers[k].map(v => v - .replace(/require-trusted-types-for[^;]*;?\s*/gi, '') - .replace(/trusted-types[^;]*;?\s*/gi, '')); - } - } - callback({ responseHeaders: headers }); - } - ); - }; - stripTrustedTypes(session.defaultSession); - stripTrustedTypes(getProxySession()); - stripTrustedTypes(getDirectSession()); + // (Trusted Types now handled engine-wide via --disable-blink-features + // command-line switch at file top. webRequest.onHeadersReceived strip + // was tried in 1.0.6 but the cliqz adblocker overwrites the listener.) // Apply proxy from config before blocker tries to download filter lists loadTrustedDomainsFromDisk(); diff --git a/package.json b/package.json index bf93a78..b2f81b8 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "ESH-Media", - "version": "1.0.6", + "version": "1.0.7", "private": true, "main": "main.js", "scripts": {