fix(1.0.7): disable Trusted Types engine-wide via Blink feature flag

The 1.0.6 fix (strip require-trusted-types-for from CSP via
onHeadersReceived) didn't take effect: cliqz/adblocker calls
session.webRequest.onHeadersReceived during enableBlockingInSession,
overwriting our hook (Electron permits only one listener per session).

Replace with engine-level kill switch:
  app.commandLine.appendSwitch('disable-blink-features', 'TrustedDOMTypes')

Makes the entire Trusted Types runtime feature inert, so
require-trusted-types-for CSP becomes a no-op site-wide. Safe in this
kiosk/single-user context; only relaxes one security boundary that
sites use to harden against XSS via adblocker-style script injection —
which is exactly what we need to neutralize for cliqz's anti-anti-adblock
scriptlets on YouTube.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

This commit is contained in:

eshmeshek

2026-05-16 22:14:19 +03:00

parent c9c9e1171b

commit e80704c534

2 changed files with 14 additions and 34 deletions

									
										2

package.json
									
												View File
												
				@@ -1,6 +1,6 @@

				{

				  "name": "ESH-Media",

				  "version": "1.0.6",

				  "version": "1.0.7",

				  "private": true,

				  "main": "main.js",

				  "scripts": {

fix(1.0.7): disable Trusted Types engine-wide via Blink feature flag

2 package.json Unescape Escape View File

2

package.json

View File