As suggested by https://github.com/distinctmondaylilac in internal
email to ubo-security:
> As a sidenote, it may be worth considering if `set-attr` should
> be able to set event handler attributes. It could potentially
> be used to copy the contents of e.g. onclick to other event handlers,
> resulting in self-clicking buttons.
Usage:
...##+js(remove-cache-storage-item, cacheNamePattern[, urlPattern])
`cacheNamePattern`: the name of the cache to target. Plain string
or regex.
`urlPattern`: the URL of the resource to remove. Plain string
or regex. If no pattern is provided, the whole cache is removed.
Reference:
https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage
Avoid race conditions between isolated world-side broadcast channel
and main-side broadcast channel, so as to not lose logging
information if the isolated world-side is not yet ready to
receive through its broadcast channel.
Additionally, added new scriptlet: `trusted-replace-argument`.
[...]##+js(trusted-replace-argument, fn, argpos, argval [,condition, pattern])
Where:
- `fn` is the function we want to proxy through an `apply` handler.
This can also be a class, in which case the scriptlet will proxy
through `construct` handler. At the moment, `fn` must exist at the
time the scriptlet executes.
- `argpos` is the 0-based position of the argument we want to change
- `argval` is the value we want to have for the argument -- the value
is interpreted the same way the value for `set-constant` is
interpreted.
- `condition, pattern` is a vararg which tells the scriptlet to act
only if `pattern` is found in the argument to overwrite.
Example of usage:
alliptvlinks.com##+js(trusted-replace-argument, MutationObserver, 0, noopFunc)
This commit brings the following changes to the logger:
All logging output generated by injected scriptlets are now sent to
the logger, the developer console will no longer be used to log
scriptlet logging information.
When the logger is not opened, the scriplets will not output any
logging information.
The goal with this new approach is to allow filter authors to
more easily assess the working of scriptlets without having to
go through scriptlet parameters to enable logging.
Consequently all the previous ways to tell scriptlets to log
information are now obsolete: if the logger is opened, the
scriptlets will log information to the logger.
Another benefit of this approach is that the dev tools do not
need to be open to obtain scriptlets logging information.
Accordingly, new filter expressions have been added to the logger:
"info" and "error". Selecting the "scriptlet" expression will also
keep the logging information from scriptlets.
A new button has been added to the logger (not yet i18n-ed): a
"volume" icon, which allows to enable verbose mode. When verbose
mode is enabled, the scriptlets may choose to output more
information regarding their inner working.
The entries in the logger will automatically expand on mouse hover.
This allows to scroll through entries which text does not fit into
a single row.
Clicking anywhere on an entry in the logger will open the detailed
view when applicable.
Generic information/errors will now be rendered regardless of which
tab is currently selected in the logger (similar to how tabless
entries are already being rendered).
If present, `elements` vararg must be a valid CSS selector, which will
be used to apply the scriptlet to only elements matching the
selector.
Related issue:
https://github.com/uBlockOrigin/uBlock-issues/issues/3061
Example of usage:
[...]##+js(aeld, click, return"undefined", elements, a.indirect)
Related issue:
https://github.com/uBlockOrigin/uBlock-issues/issues/2971
Example usage:
...##+js(trusted-trusted-click-element, #cmpwrapper >>> .cmpboxbtnyes)
The substring before ` >>> ` must select an element with a non-null
shadow root, in which case the substring after ` >>> ` will be used
to find the element in the targeted shadow root. ` >>> ` can be used
recursively when multiple shadow root must be pierced.
Related issue:
https://github.com/uBlockOrigin/uBlock-issues/issues/2526
Improvements:
Support fulfilling the response with the content of a
`web_accessible_resources` resource, using the syntax already
supported by `prevent-xhr`: `war:[name of resource]`
Support fulfilling the response with randomized text with length
specified using `length:min[-max]` directive.
Related discussion:
https://github.com/ameshkov/diffupdates
The benefits of diff-patching filter lists is much shorter update
schedule and significantly less bandwidth consumed.
At the moment, only default filter lists are subject to be
diff-patched.
External filter lists can make their lists diff-patchable by
following the specification link above.
Only filter lists fetched by the auto-updater are candidate for
diff-patching.
Forcing a manual update of the filter lists will prevent the
diff-patcher from kicking in until one or more lists are
auto-updated.
Some back-of-the-envelop calculations regarding the load on free
CDN solutions used by uBO to distribute its own filter lists:
Currently, for each CDN (with lists updating after days):
~560 M req/month, ~78 TB/month
With diff-patching lists on a 6-hour schedule:
~390 M req/month, 1 TB/month
Those estimates were done according to statistics shown by
jsDelivr, which is one of 4 CDNs picked randomly when a list
updates:
https://www.jsdelivr.com/package/gh/uBlockOrigin/uAssetsCDN?tab=stats
Essentially a complement of `trusted-prune-inbound-object.js` added in
1c9da227d7
To perform object pruning on any object returned synchronously by
any given call.
The arguments for `trusted-prune-outbound-object` in order are:
- The name of the property to trap. Must be a function, and must
exist when the scriptlet tries to install the trap.
- The properties to prune (as with `json-prune`)
- The properties which must all be present for pruning to occur
(as with `json-prune`)
The scriptlets `json-prune.js` and `evaldata-prune.js` essentially
perform the same function, and will eventually be rewritten to
internally delegate to generic `trusted-prune-outbound-object.js`.
As per discussion with filter list maintainers.
To perform object pruning for any given call which has an object
as argument (hence "inbound").
Since `json-prune-stringify` scriptlet is a specific form of
pruning inbound objects, it has been removed.
The arguments for `trusted-prune-inbound-object` in order are:
- The name of the property to trap. Must be a function, and must
exist when the scriptlet tries to install the trap.
- The position of the object to prune in the argument list when
the trapped function is called. The position is 1-based and
must be an integer greater than 0.
- The properties to prune (as with `json-prune`)
- The properties which must all be present for pruning to occur
(as with `json-prune`)
- Varargs:
- `, dontOverwrite, 1`: do not modify the target inbound object
Examples:
Remove `title` and `name` properties before passing the object to
`JSON.stringify` call:
example.org##+js(trusted-prune-inbound-object, JSON.stringify, 1, title name)
Remove `status` property before passing the object to `Object.keys`
call but do not modify caller's instance of the object:
example.org##+js(trusted-prune-inbound-object, Object.keys, 1, status, , dontOverwrite, 1)
If the `version` vararg is present and set to `2`, and if a
fetch Request argument is present, it will be cloned before
being matched to `propsToMatch` properties.
Additionally, created a `.fn` version of `[...]-fetch-response`
scriptlets to avoid redundant code in final injected scriptlets.
Prevent usage of specific or all (default) canvas APIs.
Syntax
```text
example.com##+js(prevent-canvas [, contextType])
```
- `contextType`: A specific type of canvas API to prevent (default to all
APIs). Can be a string or regex which will be matched against the type
used in getContext() call. Prepend with `!` to test for no-match.
Examples
1. Prevent `example.com` from accessing all canvas APIs
```adblock
example.com##+js(prevent-canvas)
```
2. Prevent access to any flavor of WebGL API, everywhere
```adblock
*##+js(prevent-canvas, /webgl/)
```
3. Prevent `example.com` from accessing any flavor of canvas API except `2d`
```adblock
example.com##+js(prevent-canvas, !2d)
```
References
https://developer.mozilla.org/en-US/docs/Web/API/HTMLCanvasElement/getContext
To prepare for better compatibility with AdGuard's own `set-constant`
scriptlet.
The 3rd position parameter which dictates how to set the value has
been converted into a vararg paramater, as follow:
..., as, function
..., as, callback
..., as, resolved
..., as, rejected
Similarly, the parameter used to dictate when the scriptlet
should become effective is now to be used as a vararg:
..., runAt, load
Related issue:
https://github.com/uBlockOrigin/uBlock-issues/issues/2783
Ideally, AdGuard would support its `stack` parameter as a
vararg, to be discussed.
Related issue:
https://github.com/uBlockOrigin/uBlock-issues/issues/2773
The `randomize` paramater introduced in https://github.com/gorhill/uBlock/commit/418087de9c
is now named `directive`, and beside the `true` value which is meant
to respond with a random 10-character string, it can now take the
following value:
war:[web_accessible_resource name]
In order to mock the XHR response with a web accessible resource. For
example:
piquark6046.github.io##+js(no-xhr-if, adsbygoogle.js, war:googlesyndication_adsbygoogle.js)
Will cause the XHR performed by the webpage to resolve to the content
of `/web_accessible_resources/googlesyndication_adsbygoogle.js`.
Should the resource not exist, the empty string will be returned.
Now support AdGuard's `randomize` parameter. If `true`,
the scriplet will generate a random 10-character string
to be returned as the response.
Reference:
https://github.com/AdguardTeam/Scriptlets/blob/master/wiki/about-scriptlets.md#prevent-xhr
AdGuard's `prevent-xhr` also support `length:n-m` form,
but since I do not see it being used, for now it's not
supported in uBO's `no-xhr-if`.
Additionally, the scriptlet will now honor `responseType` and
return the proper response type accordingly.
`fetchPropsToMatch` is an optional variable argument. If provided,
the scriplet will take effect only when the JSON data is obtained
through `Response.json()` and if there is a match with the value of
`fetchPropsToMatch` and the properties of the `Response` instance.
Examples of usage:
...##+js(json-prune, ads, , , fetchPropsToMatch, ?param=)
...##+js(json-prune, ads, , , fetchPropsToMatch, url:?param= method:get)
The optional variable argument `fetchPropsToMatch` acts as an additional
narrowing condition to fulfill before the JSON data is pruned.
Specifically, the variable argument `log` can take one of three
values to enable logging mechanism:
..., log, match => log only when there is a match
..., log, nomatch => log only when there is no match
..., log, all => log unconditionally
Prepend pattern with `!` to test for unmatched patterns in
stack trace. This applies to sctiplet parameters which purpose
is to test against the stack, i.e. `aost` and `json-prune`.
Additionally, dropped support for JSON notation in favor of
optional variable arguments notation.
Related discussion:
- https://github.com/uBlockOrigin/uBlock-discussions/discussions/789#discussioncomment-6520330
This extends logging capabilities of `json-prune` scriptlet as
follow:
...##+js(json-prune, a, b, stackNeedle, log, [logneedle], logstack, 1)
Whereas before, the only way to log `json-prune` usage was to skip
providing the property chain:
...##+js(json-prune, , b)
Where `b` was the expression to filter out logging output.
With the extended logging capabilities, the logging output can
be filtered out with `logneedle`, which can be a regex literal.
Additionally, to log the stack trace the `stackNeedle` argument
must be set to non-empty string. You can use `/.^/` to log the
stack trace without matching it.
Related issue:
- https://github.com/AdguardTeam/Scriptlets/issues/332
Additionally, uBO's own scriplet syntax now also accept quoting
the parameters with either `'` or `"`. This can be used to avoid
having to escape commas when they are present in a parameter.
Related issue:
- https://github.com/uBlockOrigin/uAssets/issues/18725
Testing the context was causing the deprecated static property
RegExp.$1 to be clobbered, causing webpage breakage because this
property was subsequently used used by the caller.