Content script is not injected into elements loaded in <object> tag

[AdamWr]

Steps to reproduce:

1. Add these rules:

youtube.com##body
youtube.com#%#alert(1);

2. Navigate to - https://example.org/
3. In browser console run:

(() => {
  const video = '<object data="https://www.youtube.com/embed/YW9Ojcm1Gkg" style="height: 300px; width: 600px;"></object>';
  const createDiv = document.createElement("div");
  document.body.appendChild(createDiv);
  createDiv.innerHTML = video;
})();

Actual behavior

It looks like that request is detected as a media type (though I'm not sure if it's the reason of not applying rules) and rules are not applied.

Screenshots

Expected behavior

Rules should be applied - website in the object tag should be blank and there should be message 1.

AdGuard for Windows 7.13 nightly 16 (build 4279, CL 1.11.111)

[ameshkov]

Hmm, interesting, I didn't know object could be used as an iframe.

@sfionov sounds like a legit bug to me, but should be handled carefully.

[sfionov]

Yeah, and browser sends Sec-Fetch-Dest: object in this case, but it sends it also when object is not iframe-like.

[ameshkov]

We could check the content-type header additionally in the case of sec-fetch-dest: object. Looks a bit clunky but what else we can do.

@AdamWr are there many examples where this kind of objects are actually used?

[AdamWr]

I'm not aware of any reports (reported by users) with mentioned issue, but I noticed this problem in this case - AdguardTeam/AdguardFilters#152618

There is a video player in some offers, for example here - https://www.evium.de/carmarket/details/4fbb8fe5-e1e4-4c14-8b1c-ae4386058a2c and ad markers are not hidden in the youtube video player, because cosmetic rules are not applied.

Screenshot