Add trusted_types.js

[ryanbr]

https://github.com/stephenhawk8054/uBO-Scriptlets#set-trusted-types

for YT Ads.

www.youtube.com##+js(set-trusted-types)

[ShivanKaul]

You're missing the resources.json etc changes

[ShivanKaul]

This is just the scriptlet. I'm merging it in. We will review actually adding it via the filter rule.

[ghost]

The scriptlet is incomplete and pretty much useless.

It needs the functions from uBlock to work: run-at.fn function which has the safe-self.fn dependency.

And not just that, it needs to be executed, so the way Brave does it with uBlock is by adding the

{
const args = ["{{1}}", "{{2}}", "{{3}}", "{{4}}", "{{5}}", "{{6}}", "{{7}}", "{{8}}", "{{9}}"];
let last_arg_index = 0;
for (const arg_index in args) {
  if (args[arg_index] === '{{' + (Number(arg_index) + 1) + '}}') {
    break;
  }
  last_arg_index += 1;
}

function runAt(fn, when) {...}

function safeSelf() {...}

(function setTrustedTypes() {
  if (window.trustedTypes && window.trustedTypes.createPolicy) {
    window.trustedTypes.createPolicy("default", {
      createScript: string => string
    });
   }
   runAt(() => {}, 'interactive');
})(...args.slice(0, last_arg_index))
}

Of course since there are no arguments this would be the enough:

{function runAt(fn, when) {...}

function safeSelf() {...}

(function setTrustedTypes() {
  if (window.trustedTypes && window.trustedTypes.createPolicy) {
    window.trustedTypes.createPolicy("default", {
      createScript: string => string
    });
   }
   runAt(() => {}, 'interactive');
}());
}

I don't even get why this scriptlet is being considered, since Youtube doesn't have any CSP rule for the trusted types anyway, maybe it is a preventative thing, but you can easily run document.body.innerHTML = '<img src=xyz.jpg>'; or console.log(eval('2 + 2')); and don't get an error.

Testing Youtube rules, they don't even give the error if the CSP directive was is in place, because it is not using anything that needs trusted types like eval or innerHTML or setInterval or Timeout or anything like that which is explained in https://web.dev/articles/trusted-types

So, yeah, pretty confusing.

If anything, when necessary, I guess Gorhill will eventually add it to their scriptlets as a function and then be added to whatever scriptlet needs to be added, not an independent scriptlet that is changing the default, but one a function that will allow just the JS code in the scriptlet to trust it.

just as explained here https://web.dev/articles/trusted-types#trusted-type-policy and something like this:

which can be tested pretty easily by using: example.com$csp=require-trusted-types-for 'script';

and then:

if (window.trustedTypes && trustedTypes.createPolicy) { // Feature testing
  const exampleHTMLPolicy = trustedTypes.createPolicy('myExamplePolicy', {
    createHTML: string => string
  });
    const example = exampleHTMLPolicy.createHTML('<img src=x onerror=alert(1)>');
document.body.innerHTML = example;
}

which will not allow document.body.innerHTML = '<img src=x onerror=alert(1)>'; to run, unlike if you use that scriptlet, which is obviously changing the default policy which is terrible if a site somehow set it and a scriptlet just changes for everything, which would be the security issue here, not running the code itself.

One of the most confusing parts is how the scriptlet is called trusted_types in the resources file but the rule in experimental lists (which will do nothing anyway) https://github.com/brave/adblock-lists/blob/21303479a7ea7cf265d5183f1759c846cca5288f/brave-lists/experimental.txt#L17 needs set-trusted-types... because that is only compatible with how uBlock reads the file to call it with the adblock, but in Brave the name unless alias is the one uses.

So example.com##+js(trusted_types) would be the only way of calling it, so yes, both the rule and the scriptlet are bad.

Have a nice day.

[ryanbr]

Thanks for the suggestion. @TEMP-ad Trusted types being used on YT : https://groups.google.com/a/chromium.org/g/chromium-extensions/c/zMPYKu5wtZI/m/0gDa-UE_CgAJ?pli=1