CSP error in Chrome - Githubissues

amitbl / blocktube

YouTube™ content blocker

GNU General Public License v3.0

904 stars 64 forks source link

CSP error in Chrome #436

Open IlyaFirsov opened 1 month ago

IlyaFirsov commented 1 month ago

When using advanced blocking I recently started to get the following error:

Custom function syntax error EvalError: Refused to evaluate a string as JavaScript because this document requires 'Trusted Type' assignment.
    at eval (<anonymous>)
    at storageReceived (inject.js:1414:27)
    at inject.js:1613:9
storageReceived @ inject.js:1420

As a result, advanced blocking rules no longer work. Can it be fixed?

BlockTube 0.4.2, Chrome 127.0.6533.89

aninder commented 1 month ago

have 2 chrome types installed, on Chrome Standard which is at 127.0.6533.88 , the advanced blocking rules are working on Chrome canary which is at 129.0.6629.0 , with recent update the advanced blocking rules throw error with , "This document requires 'TrustedScript' assignment. Custom function syntax error EvalError: Refused to evaluate a string as JavaScript because this document requires 'Trusted Type' assignment."

It seems for Chrome standard something was changed between 127.0.6533.88 and 127.0.6533.89 that has started causing this issue.

BlockTube 0.4.2

aninder commented 1 month ago

stange but advanced blocking started working. on same chrome canary version 129.0.6629.0 after a bit . updated chrome standard from 127.0.6533.88 to 127.0.6533.89 and it's workiing there as well. Not sure what happened there.

old4ever commented 1 month ago

I have also experienced this issue, upgraded Chrome (126.0.6478.126-1 ⇒ 127.0.6533.88-1). I tried to do a further investigation on what exactly changed during these versions, but instead found this article from Google's Chrome for Developers Blog, stating that they would start enforcing "Trusted Types" on YouTube starting July 25, 2024.

Meaning, the change wasn't done on Chrome's side (in fact, "Trusted Types" were a thing in Chrome since 2020-05-19), but on YouTube's.

I haven't figured out the way to bypass this locally, but it's clear that this requires some code changes in the extension.

llamatar commented 1 month ago

As a (potentially unsafe) workaround, you can override the Content Security Policy on YouTube.

The following rule in the Content Security Policy Override extension removes the requirement for Trusted Types:

[
    ["https://www\\.youtube\\.com", [
        ["require-trusted-types-for 'script'", ""]
    ]]
]

magiruuvelvet commented 3 weeks ago

I'm attempting to solve this issue in PR #448 directly in BlockTube without having to install additional extensions. I would be glad to get some feedback on this.