Circumvent TrustedHTML errors

[psultan]

Sequence of actions:

1. Install Userscript

// ==UserScript==
// @name        Hello
// @namespace   Violentmonkey Scripts
// @match       https://calendar.google.com/calendar/*
// @require     http://code.jquery.com/jquery-latest.min.js
// @icon        https://www.google.com/s2/favicons?domain=google.com
// @grant       none
// @version     1.0
// ==/UserScript==
(function() {
    'use strict';
    console.log("Hello")
})();

2. Goto https://calendar.google.com/calendar/

Problem:

In Chrome Beta some sites are throwing a 'This document requires 'TrustedHTML' assignment.' error when the script sources a require file. This is only happening in Chrome Beta now, but will likely be an issue in standard Chrome in the future.

This tampermonkey ticket seems related: Tampermonkey/tampermonkey#1334. Using the linked 'Trusted-Types Helper' with violentmonkey fixes the issue for toplevel matches, but does not fix it for sub-frames (goto gmail and open calander sidepanel). If I use the latest tampermonkey the require works on both toplevel and sub-frames (without the helper).

Devtools console contents:

This document requires 'TrustedHTML' assignment.
    (anonymous)	@	Hello.user.js:2
    ib	@	Hello.user.js:2
    fb.setDocument	@	Hello.user.js:2
    (anonymous)	@	Hello.user.js:2
    (anonymous)	@	Hello.user.js:2
    (anonymous)	@	Hello.user.js:2
    (anonymous)	@	Hello.user.js:2
    VMl5m11cb4xv	@	Hello.user.js:20
    Ut	@	injected-web.js:1
    (anonymous)	@	Hello.user.js:1
    Et	@	injected.js:1
    Dt	@	injected.js:1
    await in Dt (async)		
    St	@	injected.js:1
    $t	@	injected.js:1
    await in $t (async)		
    (anonymous)	@	injected.js:1
    await in (anonymous) (async)		
    (anonymous)	@	injected.js:1
    (anonymous)	@	injected.js:1

Environment:

• OS: Windows
• Browser: Chrome Version 117.0.5938.11 (Official Build) beta (64-bit)
• Violentmonkey Version: 2.15.0

[tophf]

We don't change CSP of the page currently, but seeing how more and more sites get hostile to userscripts I guess we'll have to do it.

[tophf]

Until then the workaround is to reuse the policy of the site: https://github.com/tophf/trust-any-html

[tophf]

After thinking this over, we can't remove the CSP of sites by default because it reduces security of sites, so having your script depend on removal of this header is not a good idea. More and more sites will use trustedTypes, so the most universal solution is to reuse the policy of the site without removing it.

@gera2ld, maybe it can be implemented as a separate library similarly to vm-url?

[gera2ld]

maybe it can be implemented as a separate library similarly to vm-url?

Sounds a good idea.

To make it clear, this issue is actually caused by jQuery trying to inject unsafe code, instead of sourcing a @required file. In other words, jQuery won't work even if it is used directly by the page rather than from a userscript.
So it is not something we should fix in the extension.

[cyfung1031]

Just don't use jQuery.
Here is an excellent alternative https://github.com/fabiospampinato/cash

// ==UserScript==
// @name        Hello
// @namespace   Violentmonkey Scripts
// @match       https://calendar.google.com/calendar/*
// @require     https://cdn.jsdelivr.net/npm/cash-dom/dist/cash.min.js
// @icon        https://www.google.com/s2/favicons?domain=google.com
// @grant       none
// @version     1.0
// ==/UserScript==
(function() {
    'use strict';
    console.log("Hello")
})();

jQuery is already a past. It just wastes your PC power to do the compatibility checks.