Skip to content

Resources Library

gwarser edited this page Feb 14, 2022 · 146 revisions
Clone this wiki locally

General purpose scriptlets

  • Most scriptlet relies on Object properties (methods), altering them may not be the best idea (you should know what you are doing).
  • Some properties related more to browser APIs rather than JS language builtins can behave in unexpected way. For example browser can override them without scriptlet noticing this. Keep this in mind when using them in scriptlet injection filers.
  • "Optional" for "string/regular expression" parameter defaults to "catch all" (/.?/) if not specified.
  • "String" parameter means plain character(s)/word(s), quotes will be taken literally, commas must be escaped in regex literals: /foo\x2cbar\u002cbaz/, after 1.22.0 commas can be escaped by backslash character (foo\,bar).
  • "Regular expression" parameter means JavaScript regular expression literal.
  • Mime type is application/javascript if not present.
  • You can use the short alias form when available for scriptlet name.
  • You should omit the .js from the scriptlet name in scriptlet injection filters (eventually in some future this will be the official way to do this).
    • Do not skip .js when the scriptlet is used with redirect=, only when used in +js(...).
  • Crossed out resources are deprecated/removed.

acs.js /

abort-current-script.js /

acis.js /

abort-current-inline-script.js

Aborts execution of inline script (throws ReferenceError) when attempts to access specified property when text content or src attribute value (new in 1.37.0) of <script> element matches specified text or regular expression.

Note that acis.js and abort-current-inline-script.js aliases are deprecated and can be removed in the future.

Parameters:

  • required, property (chain of properties joined by .) attached to window object accessed inside <script> tag we want to break
  • optional, string/regular expression matching in <script> element content
  • optional, new in 1.37.0, string/regular expression matching in the decoded value of the src attribute of the <script> tag, when the attribute content is not a remote network address, but the actual inline script URL-encoded or base64-endcoded as a data: URI

Examples:

  • weristdeinfreund.de##+js(acis, Number.isNaN)
  • tichyseinblick.de##+js(acis, Math, /\}\s*\(.*?\b(self|this|window)\b.*?\)/)

aopr.js /

abort-on-property-read.js

Aborts execution of script (throws ReferenceError) when attempts to read specified property. Writes are ignored.

Parameters:

  • required, property (chain of properties joined by .) attached to window object

Examples:

  • tagesspiegel.de##+js(aopr, Notification)

aopw.js /

abort-on-property-write.js

Aborts execution of script (throws ReferenceError) when attempts to write specified property.

Parameters:

  • required, property (chain of properties joined by .) attached to window object that will be overwritten

Examples:

  • yggtorrent.*##+js(aopw, Fingerprint2)

aost.js /

abort-on-stack-trace.js

New in 1.29.3rc9

Experimental, under development

Aborts execution of script (throws ReferenceError) when attempts to access specified property when stack trace matches specified text or regular expression. Internal discussion

Parameters:

  • required, property (chain of properties joined by .) to trap in order to launch the stack trace matching code, ex. Math.random.
  • optional, string/regular expression, the needle to match against the stack trace. If the empty string, always match.
  • optional, whether to log, and if so how:
    • Empty string: do not log
    • 1: log stack trace for all access to trapped property
    • 2: log stack trace for defused access to trapped property
    • 3: log stack trace for non-defused access to trapped property

Stack trace is normalized, but there still can be differences (Chromium vs Firefox) because of different format of stack trace.

There is a special string which can be used to match inline script context - inlineScript.

Though the stack trace is rendered in the console using new line to separate the stack trace lines, internally \t is used. The reason is to be more easily be able to create regex-based needle when using regex . character class.

The stack trace is prepended with stackDepth:... in order to allow to filter on stack depth, however higher depth values can likely differ between Chromium and Firefox.

Firefox often reports injectedScript, attempt has been made to convert entries in Chromium which seems to correspond to this, so that both browser families will report injectedScript.

The column value is normalized to 1, however there is too much discrepancy between browser families for that value to be of any use.

Filtering according to reported line numbers (...:1234:1), will not be reliable for inline scripts, since the line at which those inline scripts are located will vary from one page to another. It should be reliable for when the stack trace entry is for code in a JS file.


aeld.js /

addEventListener-defuser.js

Prevents attaching event listeners.

Parameters:

  • optional, string/regular expression, name of the event listener to defuse
  • optional, string/regular expression matching in stringified handler function, narrows down defusing to specific handler

Examples:

  • vev.io##+js(aeld, adb.updated)
  • newser.com##+js(aeld, load, Object)
  • vivo.sx##+js(aeld, , preventDefault)
  • vidto.me##+js(aeld, /^(?:click|mousedown|mousemove|touchstart|touchend|touchmove)$/, system.popunder)

aell.js /

addEventListener-logger.js

Logs to the console event listeners created on page.


cookie-remover.js

Removes current page cookies specified by name. For current domain, wildcard (dot) subdomain(s), after 1.28.0 also for domain one level above www, current and / path, script accessible (HttpOnly=false), on load and before unload.

Caveats: cookies set for higher level domain will not be removed. For example, if current page domain is page.example.com, cookies set for example.com will not be removed. One exception is www subdomain, which will work after 1.28.0.

Parameters:

  • optional, string/regular expression, matching in the name of the cookie

Examples:

  • subdivx.com##+js(cookie-remover, ref_cookie)

csp.js

Removed. Deprecated by $csp network filter option.
Applies content security policy by inserting <meta http-equiv=Content-Security-Policy content="*directive*"> tag to html <head> element. Read more at https://www.w3.org/TR/CSP2/#delivery-html-meta-element
Content Security Policy Quick Reference Guide

Parameters:

  • required, valid Content Security Policy directive

disable-newtab-links.js

Prevents creating new tabs/windows by deactivating links with target attribute.

Parameters:

  • none

Examples:

  • there.to##+js(disable-newtab-links.js)

json-prune.js

New in 1.23.0

Intercepts calls to JSON.parse() and Response.json()New in 1.31.0. If the result of the parsing is an Object, remove specified properties from the result before returning to the caller.

Parameters:

  • optional, string, a list of space-separated properties to remove
  • optional,
    • string, a list of space-separated properties which must be all present for the pruning to occur; OR
    • string/regular expression, for logging purposes, matching in stringified JSON payloads (new in 1.27.0)

A property in a list of properties can be a chain of properties, example: adpath.url.first.

After 1.28.0, two special "wildcard tokens" have been added:

  • [] - will iterate in all elements in an array. To deal with cases where the property to remove is an element in an array. To remove adserver object properties from array in following JSON payload:

      {"playlist": [{"adserver": "first"},{"adserver": "second"}]}
    

    Use:

      +js(json-prune, playlist.[].adserver)
    
  • * - will iterate through all own properties of an object. For example, to deal with hard to predict random-named properties. To remove adserver object properties from inside randomly named objects in following JSON payload:

      {"playlist": {"random1": {"adserver": "first"}, "randomB": {"adserver": "second"}}}
    

    Use:

     +js(json-prune, playlist.*.adserver)
    

When used without parameters, will log current hostname + json payload to the console.
New in 1.27.0 - second parameter can be used to limit logging to JSON payloads which stringified content match specified string or regular expression.

Examples:

  • youthhealthmag.com##+js(json-prune, unit_list)
  • winfuture.de##+js(json-prune, adtagparameter, enabled)
  • imgsen.com##+js(json-prune, *, showTrkURL) - will remove everything when needle matches, new in 1.35

noeval.js

Prevent web pages from using eval(), and report attempts to console. This should not be used as a generic filter due to the fact that it breaks many websites, including those using Cloudflare's DDoS protection.

Examples:

  • solowarez.org##+js(noeval)

noeval-silent.js /

silent-noeval.js

Prevent web pages from using eval().


noeval-if.js

Prevent web pages from using eval() on specific matching payloads.

Parameters:

  • optional, string/regular expression, matching in payload string.

Examples:

  • orgyxxxhub.com##+js(noeval-if, replace)

no-floc.js

New in 1.35.0.

Defuses Google FLoC ("Federated Learning of Cohorts") tracking. Read more on https://amifloced.org/

uBlock Origin (uBO) ensures FLoC is opt-in. The generic filter *##+js(no-floc) in "uBlock filters -- Privacy" ensures the feature is disabled when using default settings/lists.

Users can opt-in to FLoC by adding a generic exception filter to their custom filters, #@#+js(no-floc); or they can opt-in only for a specific set of websites through a more specific exception filter:

example.com,shopping.example#@#+js(no-floc)

Solves #1553.


no-fetch-if.js

New in 1.31.3b9.

Defuses calls to fetch() by returning a promise which always resolve to an empty response.

Parameters:

  • optional, space-separated list of conditions which must be ALL fulfilled in order for the defusing to take place:
    • string/regular expression matching in URL passed to fetch() call
    • colon-separated name:value pairs of init option name and string/regular expression matching in value of that option passed to fetch() call.

When used without parameters, the parameters passed to no-fetch-if will be logged to the console, as uBO: fetch([...list of arguments...]).

Examples:

  • example.com##+js(no-fetch-if, method:HEAD)
  • example.com##+js(no-fetch-if, adsbygoogle.js)
  • example.com##+js(no-fetch-if, adsbygoogle.js method:HEAD)
  • example.com##+js(no-fetch-if, /adsbygoogle.js$/ method:/HEAD|POST/)

norafif.js /

no-requestAnimationFrame-if.js

New in 1.27.0.

Defuses calls to requestAnimationFrame() function when parameter:

  • is not prefixed with ! and matches the stringified callback argument to requestAnimationFrame(); OR
  • is prefixed with ! and does not match the stringified callback argument to requestAnimationFrame().

Parameters:

  • optional, string/regular expression, matching in the stringified callback argument passed to requestAnimationFrame.

Use with /^/ parameter to defuse all calls unconditionally.

When used without parameters, will log calls to requestAnimationFrame() to the console.

Examples:

  • bloomberg.com##+js(norafif, paywall-inline-tout)

nosiif.js /

no-setInterval-if.js

New in 1.23.0

Defuses calls to setInterval() function when parameters:

  • are not prefixed with ! and match the setInterval() argument; OR
  • are prefixed with ! and do not match the setInterval() argument.

Parameters:

  • optional, string/regular expression, matching in stringified callback function
  • optional, decimal integer or literal NaN ("not a number", new in 1.28.2), matching interval

Use with /^/ parameter to defuse all calls unconditionally.

When used without parameters, will log calls to setInterval() to the console.

Examples:

  • jpidols.tv##+js(nosiif)
  • finanzen.*##+js(nosiif, nrWrapper)
  • yachtrevue.at##+js(nosiif, text/css, 10)

nostif.js /

no-setTimeout-if.js

New in 1.23.0

Defuses calls to setTimeout() function when parameters:

  • are not prefixed with ! and match the setTimeout() argument; OR
  • are prefixed with ! and do not match the setTimeout() argument.

Parameters:

  • optional, string/regular expression, matching in stringified callback function
  • optional, decimal integer or literal NaN ("not a number", new in 1.28.2), matching delay

Use with /^/ parameter to defuse all calls unconditionally.

When used without parameters, will log calls to setTimeout() to the console.

Test page: https://gorhill.github.io/uBlock/tests/scriptlet-injection-filters-1.html

Examples:

  • computerbild.de##+js(nostif, ())return)
  • lablue.*##+js(nostif, push, 500)

In 1.31.3b11 aliased as setTimeout-defuser.js for backward compatibility.


nowebrtc.js

Disables WebRTC by preventing web pages from using RTCPeerConnection(). Report attempts in console.

Examples:

  • x1337x.*##+js(nowebrtc)

no-xhr-if.js

New in 1.38.0.

Defuses XMLHttpRequest network requests by returning empty response. Based on no-fetch-if.js.

Parameters:

  • optional, space-separated list of conditions which must be ALL fulfilled in order for the defusing to take place:
    • string/regular expression matching in URL passed to XMLHttpRequest open() call
    • colon-separated name:value pairs of XMLHttpRequest method open() parameter names (only method and url currently supported) and string/regular expression matching in value of passed argument.

When used without parameters, the parameters passed to no-xhr-if will be logged to the console, as uBO: xhr.open(...list of arguments...).

Examples:

  • example.com##+js(no-xhr-if, method:HEAD)
  • example.com##+js(no-xhr-if, adsbygoogle.js)
  • example.com##+js(no-xhr-if, adsbygoogle.js method:HEAD)
  • example.com##+js(no-xhr-if, /adsbygoogle.js$/ method:/HEAD|POST/)

ra.js /

remove-attr.js

Removes attribute(s) from DOM tree node(s). By default will run only once when the initial HTML document has been completely loaded and parsed but sub-resources such as scripts, images, stylesheets and frames are still loading.

Parameters:

  • required, attribute or list of attributes joined by |
  • optional, CSS selector, specifies nodes from which attributes will be removed
  • optional, new in 1.33, one or more space-separated tokens dictating the behavior of the scriptlet
    • asap: added in 1.36.1b2, execute as soon as possible, do not wait for DOM to become available.
    • stay: This tells the scriplet to stay active and act on document changes.
    • complete: This tells the scriplet to start acting only when the document is complete, i.e. once all secondary resources have been loaded.

Examples:

  • userscloud.com##+js(ra, onclick, .btn-icon-stacked)
  • magesy.*,majesy.*##+js(ra, oncontextmenu)
  • zerodot1.gitlab.io##+js(ra, oncontextmenu|onselectstart|ondragstart)
  • example.com##+js(remove-attr, class, .j-mini-player, stay)

rc.js /

remove-class.js

New in 1.26.0.

Removes classes from DOM tree node(s). By default will run only once after page load. Syntax based on remove-attr.js

Parameters:

  • required, class name or list of class names joined by |
  • optional, CSS selector, specifies nodes from which classes should be removed
  • optional, new in 1.36, one or more space-separated tokens dictating the behavior of the scriptlet
    • stay: This tells the scriplet to stay and act on DOM changes, while the default behavior is to act only once when the document becomes interactive.
    • complete: This tells the scriplet to start acting only when the document is complete, i.e. once all secondary resources have been loaded, while the default is to start acting when the document is interactive - which is earlier than when the document is complete.

Example:


refresh-defuser.js

New in 1.38.7b3

Attempts to defuse reloading of a document through a meta "refresh" tag. Will stop navigation (call window.stop()) at specified delay.

Parameters:

  • optional, number (float), number of seconds until the page will be reloaded / when defuser should run. Will be derived from source tag when not specified.

set.js /

set-constant.js

Creates property and initializes it with a value from a predefined set.

Scriptlet will succeed only when:

  • original property is undefined (scriptlet is called early enough) or null1.25.0 OR
  • new property written by set.js is undefined or null1.25.0 OR
  • type of original property is equal to type of new property

Value set by scriptlet can be overwritten by page script when:

  • current property was not set to undefined or null1.25.0 AND
  • new property is not undefined or null1.25.0 AND
  • type of original property is different than type of new property

Parameters:

  • required, property (chain of properties joined by .) attached to window object
  • required, possible values:
    • positive decimal integer, no sign, with maximum value of 0x7FFF (32767)
    • one value from set of predefined constants:
      • undefined
      • false
      • true
      • null2018-11-24
      • noopFunc - function with empty body
      • trueFunc - function returning true
      • falseFunc - function returning false
      • '' - empty string2019-01-06
      • [] - empty array1.36
      • {} - empty object1.36

Examples:

  • kompetent.de##+js(set, Object.keys, trueFunc)
  • t-online.de##+js(set, abp, false)
  • identi.li##+js(set, t_spoiler, 0)

sil.js /

setInterval-logger.js

Deprecated by no-setInterval-if.js

Removed in 1.22.0.

Logs to the console calls to setInterval() function.


std.js /

setTimeout-defuser.js

Deprecated by no-setTimeout-if.js

Defuses calls to setTimeout() function for specified matching callbacks and delays by setting callback function to noop.

Parameters:

  • optional, string/regular expression, matching in stringified callback function
  • optional, decimal integer, matching delay

nano-sib.js /

nano-setInterval-booster.js

Adjusts interval for specified setInterval() callbacks.

Parameters:

  • optional, string/regular expression, matching in stringified callback function
  • optional - defaults to 1000, decimal integer, matching interval. New in 1.33.0: * will match any interval.
  • optional - default to 0.05 (20x faster), float, capped at 50 times for up and down, interval multiplier

Examples:

  • identi.li##+js(nano-sib, , ,0.02)
  • platinmods.*##+js(nano-sib)
  • 1ink.cc##+js(nano-sib, mSec, 1050)

nano-stb.js /

nano-setTimeout-booster.js

Adjusts delay for specified setTimeout() callbacks.

Parameters:

  • optional, string/regular expression, matching in stringified callback function
  • optional - defaults to 1000, decimal integer, matching delay. New in 1.33.0: * will match any delay.
  • optional - default to 0.05 (20x faster), float, capped at 50 times for up and down, delay multiplier

Examples:

  • bdupload.*##+js(nano-stb)
  • imgrock.*##+js(nano-stb, /.?/, 4000)

sharedWorker-defuser.js

Removed. Deprecated by $csp filter option.
Defuses sharedWorker by passing empty worker file (Blob URL) for specified worker URLs

Parameters:

  • optional, string/regular expression, matching in worker URL

webrtc-if.js

Allows opening RTC connections to matching RTCIceServer only.

Parameters:

  • required, string/regular expression, matching in RTCIceServer urls, username or credential.

window-close-if.js

New in 1.39.3b10.

Closes fresh browser tabs of the specified page. Can be used to close tabs which have been opened from other applications. Can be narrowed down to specific path by parameter. Whole browser window will be closed if it's the last/only tab (depends on browser configuration).

Parameters:

  • optional, string/regular expression, matching in the path and query part of the web page address.

Example:

  • acestream.com##+js(window-close-if, /plan/select?popup=noads)

nowoif.js /

window.open-defuser.js

Prevent opening new windows by window.open() when URL positively or negatively matches to specific string.

Improvements:

  • 1.29.2, third parameter can now configure behavior of the scriptlet.
  • 1.27.0, nowoif.js alias is now available.
  • 1.26.0 (one, two),
    if second argument is present and a valid integer value, the defuser will return a valid window object even though no popup window is opened. The returned window object will cease to be valid after the specified number of seconds. If not present, no window will be opened and the scriptlet will return null.

Use third parameter (set it to log) to log window.open() parameters, and log access to attributes of returned window object.

Parameters:

  • optional, string/regular expression, prefixed by ! for negation, matching in URL parameter passed to window.open(),
  • optional, positive decimal integer, number of seconds after returned window object will be invalidated.
  • optional, space-separated tokens,
    • log:
      Cause the scriptlet to log information regarding how window.open() is used by the page on which the scriptlet is used. Useful only to filter creators.
    • obj:
      Use an object element instead of iframe element (default) as a decoy to be used in place of a popup window, when the page requires a valid window instance to be returned.
    • before 1.29.2 any value (for example -) was turning on logging.

Parameters syntax deprecated after 1.26.0:

  • optional - defaults to "matching", nothing or 1 for "matching", 0 for "not matching",
  • optional, string/regular expression, matching/not matching in URL parameter passed to window.open()

Examples:

  • file-up.org##+js(window.open-defuser)

window.name-defuser

Clears window.name property which can be misused for tracking purposes.

Parameters:

  • none

overlay-buster.js

Experimental, gets rid of overlay dialogs, works for ~30s after page load. Preferred way to handle overlays is to use standard cosmetic filters and optionally style injection.


alert-buster.js

Disables alert() dialog boxes by redirecting messages to console.


Defuser scriptlets

ampproject_v0.js /

ampproject.org/v0.js

Removes animation (artificial 8s delay) added to desktop pages supporting AMP, when ampproject.org scripts are blocked.

fingerprint2.js

Fingerprintjs2 shim.

fingerprint3.js

FingerprintJS v3 shim.

nobab.js /

bab-defuser.js

Defuses BlockAdblock. Prevents executing of eval() on sets of predefined payloads.

nobab2.js

Redirect resource. Defuses BAB 4.2b.

nofab.js /

fuckadblock.js-3.2.0

Convenience, Sanitize FuckAdBlock, BlockAdBlock, SniffAdBlock, fuckAdBlock, blockAdBlock, sniffAdBlock properties. Often used as redirect in network filters. TODO: copy to redirect?

popads-dummy.js

Convenience, sets static properties (PopAds, popns)

popads.js /

popads.net.js

Convenience, abort-on-property-write.js (PopAds, popns), throws "magic"

prebid-ads.js

New in 1.41.0

Prebid-ads shim. canRunAds/isAdBlockActive?

gpt-defuser.js

Deprecated, Convenience, sets static properties (_resetGPT, resetGPT, resetAndLoadGPTRecovery, _resetAndLoadGPTRecovery, setupGPT, setupGPTuo)

adfly-defuser.js

Defuses anti adblock on adfly shortened links.

damoh-defuser.js

Fix for disappearing videos on chip.de


Empty redirect resources

These are smallest/shortest/fastest to execute files. Should be used in network filters as a parameter to $redirect option. They purpose is to mislead page to think that real files have been served.

Available resources

  • Images
  • Source code
  • Media files
    • noop-0.1s.mp3
    • noop-1s.mp4
  • Special purpose
    • none

      reserved token, can be used to disable specific redirect filters. Starting with 1.31.0, classic exception filters and badfilter option can be used.

    • click2load.html

      for embedded <iframe> elements. New in 1.31.0 (also 2e5d32e9, 46d7f8a7). Frames redirected to this resource will not be collapsed, instead, widget with clickable and selectable frame source link will be displayed. Clicking the icon next to source link will open frame content in new tab. Clicking the widget content will unblock and load original frame content.

Example rule:

||ad.server.com/$script,redirect=noop.js,domain=www.google.com


URL-specific sanitized redirect resources (surrogates)

addthis_widget.js /

addthis.com/addthis_widget.js

amazon_ads.js /

amazon-adsystem.com/aax2/amzn_ads.js

amazon_apstag.js

New in 1.27.0.

monkeybroker.js /

d3pkae9owd2lcf.cloudfront.net/mb105.js

doubleclick_instream_ad_status.js /

doubleclick.net/instream/ad_status.js

google-analytics_ga.js /

google-analytics.com/ga.js

google-analytics_analytics.js /

google-analytics.com/analytics.js

google-analytics_inpage_linkid.js /

google-analytics.com/inpage_linkid.js

google-analytics_cx_api.js /

google-analytics.com/cx/api.js

googletagservices_gpt.js /

googletagservices.com/gpt.js

googletagmanager_gtm.js /

googletagmanager.com/gtm.js

googlesyndication_adsbygoogle.js /

googlesyndication.com/adsbygoogle.js

scorecardresearch_beacon.js /

scorecardresearch.com/beacon.js

outbrain-widget.js /

widgets.outbrain.com/outbrain.js

hd-main.js

disqus_forums_embed.js AND disqus_embed.js /

disqus.com/forums/*/embed.js AND disqus.com/embed.js

Removed in 1.29.0.

twitch-videoad.js

Twitch stream embedded ads bypasser


Other

Deprecated by general purpose scriptlets / outdated (please move to proper section if still used).


golem.de.js

Deprecated, addEventListener-defuser


upmanager-defuser.js

Deprecated, sets static properties (upManager)

chartbeat.js /

static.chartbeat.com/chartbeat.js

Deprecated, sets static properties (pSUPERFLY.activity, pSUPERFLY.virtualPage)

ligatus_angular-tag.js /

ligatus.com/*/angular-tag.js

Deprecated, sets static properties (adProtect, uabpdl, uabDetect)


Glossary