-
Notifications
You must be signed in to change notification settings - Fork 442
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Circumvent TrustedHTML errors #1873
Comments
We don't change CSP of the page currently, but seeing how more and more sites get hostile to userscripts I guess we'll have to do it. |
Until then the workaround is to reuse the policy of the site: https://github.com/tophf/trust-any-html |
After thinking this over, we can't remove the CSP of sites by default because it reduces security of sites, so having your script depend on removal of this header is not a good idea. More and more sites will use trustedTypes, so the most universal solution is to reuse the policy of the site without removing it. @gera2ld, maybe it can be implemented as a separate library similarly to vm-url? |
Sounds a good idea. To make it clear, this issue is actually caused by |
Just don't use jQuery. // ==UserScript==
// @name Hello
// @namespace Violentmonkey Scripts
// @match https://calendar.google.com/calendar/*
// @require https://cdn.jsdelivr.net/npm/cash-dom/dist/cash.min.js
// @icon https://www.google.com/s2/favicons?domain=google.com
// @grant none
// @version 1.0
// ==/UserScript==
(function() {
'use strict';
console.log("Hello")
})(); jQuery is already a past. It just wastes your PC power to do the compatibility checks. |
Jquery was failing and causing CSP error "This document requires 'TrustedHTML' assignment." due to using innerHTML which is not allowed under updated strict CSP See violentmonkey/violentmonkey#1873 Replace jquery require with cash Replace jquery initialize with mutation observer
Sequence of actions:
Problem:
In Chrome Beta some sites are throwing a 'This document requires 'TrustedHTML' assignment.' error when the script sources a require file. This is only happening in Chrome Beta now, but will likely be an issue in standard Chrome in the future.
This tampermonkey ticket seems related: Tampermonkey/tampermonkey#1334. Using the linked 'Trusted-Types Helper' with violentmonkey fixes the issue for toplevel matches, but does not fix it for sub-frames (goto gmail and open calander sidepanel). If I use the latest tampermonkey the require works on both toplevel and sub-frames (without the helper).
Devtools console contents:
Environment:
The text was updated successfully, but these errors were encountered: