public/ESH-Media
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity

Compare commits

base: public:v1.0.5
Branches Tags
public:master
public:v1.0.14 public:v1.0.12 public:v1.0.11 public:v1.0.10 public:v1.0.9 public:v1.0.8 public:v1.0.7 public:v1.0.6 public:v1.0.5 public:v1.0.4 public:v1.0.3 public:v1.0.2 public:v1.0.1
...
compare: public:v1.0.6
Branches Tags
public:master
public:v1.0.14 public:v1.0.12 public:v1.0.11 public:v1.0.10 public:v1.0.9 public:v1.0.8 public:v1.0.7 public:v1.0.6 public:v1.0.5 public:v1.0.4 public:v1.0.3 public:v1.0.2 public:v1.0.1

1 Commits
v1.0.5 ... v1.0.6

Author SHA1 Message Date
eshmeshek
c9c9e1171b fix(1.0.6): strip Trusted Types CSP on YouTube/Google to unbreak adblocker 
YouTube response sends Content-Security-Policy: require-trusted-types-for
'script' which blocks the cliqz adblocker's inline-script injection used
to neutralize YT's anti-adblock detection (52 "HTMLScriptElement was
directly modified and will not be executed" console errors).

Strip require-trusted-types-for and trusted-types directives from CSP
and CSP-Report-Only headers for youtube.com / youtu.be / google.com /
gmail.com (and subdomains) via onHeadersReceived on all 3 sessions.
Other CSP directives stay intact so site-level security boundaries hold.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-16 22:01:26 +03:00
2 changed files with 35 additions and 1 deletions
Expand all files Collapse all files

34
main.js
View File

@@ -1228,6 +1228,40 @@ app.whenReady().then(async () => {
} }
); );
// Strip Trusted Types directives from CSP for sites that enforce them
// (YouTube, Gmail, etc.). The cliqz adblocker injects inline scriptlets to
// neutralize anti-adblock tricks; those injections use plain script.text
// assignment which TT blocks → "An HTMLScriptElement was directly modified
// and will not be executed" (52+ console errors on YouTube). Without TT
// the adblocker's scripts run and YouTube works normally.
const TT_STRIP_HOSTS = [
'youtube.com', 'youtu.be', 'youtubekids.com',
'google.com', 'gmail.com', 'mail.google.com',
];
const stripTrustedTypes = (sess) => {
sess.webRequest.onHeadersReceived(
{ urls: ['https://*/*'] },
(details, callback) => {
let host = '';
try { host = new URL(details.url).hostname; } catch {}
const match = TT_STRIP_HOSTS.some(d => host === d || host.endsWith('.' + d));
const headers = details.responseHeaders;
if (!match || !headers) return callback({});
for (const k of Object.keys(headers)) {
if (/^content-security-policy(-report-only)?$/i.test(k)) {
headers[k] = headers[k].map(v => v
.replace(/require-trusted-types-for[^;]*;?\s*/gi, '')
.replace(/trusted-types[^;]*;?\s*/gi, ''));
}
}
callback({ responseHeaders: headers });
}
);
};
stripTrustedTypes(session.defaultSession);
stripTrustedTypes(getProxySession());
stripTrustedTypes(getDirectSession());
// Apply proxy from config before blocker tries to download filter lists // Apply proxy from config before blocker tries to download filter lists
loadTrustedDomainsFromDisk(); loadTrustedDomainsFromDisk();
try { try {

2
package.json
View File

@@ -1,6 +1,6 @@
{ {
"name": "ESH-Media", "name": "ESH-Media",
"version": "1.0.5", "version": "1.0.6",
"private": true, "private": true,
"main": "main.js", "main": "main.js",
"scripts": { "scripts": {