Trusted-Types Helper

I mainly wrote this in 2021 to enable TamperMonkey to continue using scripts that have `@require` dependencies on sites with a restrictive `Trusted-Types` policy, until TM v4.14 came out (milestone: https://github.com/Tampermonkey/tampermonkey/issues/1334#event-5361683856). Now it seems like some cases make it relevant again? I think that should be only temporary until the TM team get on top of what ever changed. Make sure this script is executed before the `@require`ing of any dependencies

  1. // ==UserScript==
  2. // @name		Trusted-Types Helper
  3. // @version		0.1.0
  4. // @description	I mainly wrote this in 2021 to enable TamperMonkey to continue using scripts that have `@require` dependencies on sites with a restrictive `Trusted-Types` policy, until TM v4.14 came out (milestone: https://github.com/Tampermonkey/tampermonkey/issues/1334#event-5361683856). Now it seems like some cases make it relevant again? I think that should be only temporary until the TM team get on top of what ever changed. Make sure this script is executed before the `@require`ing of any dependencies
  5. // @namespace	bp
  6. // @author		Benjamin Philipp <dev [at - please don't spam] benjamin-philipp.com>
  7. // @include		*
  8. // @run-at		document-start
  9. // @noframes
  10. // @grant		none
  11. // ==/UserScript==
  12.  
  13. // How to work with Trusted Types: https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API
  14.  
  15. // This is mainly to enable TamperMonkey to continue using scripts that have `@require` dependencies on sites with a restrictive `Trusted-Types` policy. At least until TM v4.14 comes out, the milestone has already been added: https://github.com/Tampermonkey/tampermonkey/issues/1334#event-5361683856
  16. // Make sure this script is executed before the `@require`ing of any dependencies
  17.  
  18. // Although TT is still an experimental feature, Google seems quite keen to enforce it already, albeit half-assedly, where supported. Ugh! >.<
  19.  
  20. // This script provides pass-through policies to try to enable you to do what ever you want with the DOM, while trying not to disturb any defaults in place.
  21. // Basically, if you have to create your own Trusted Types (e.g. TrustedHTML), and if the site's CSP allows for the creation of new policies, you can use a permissive policy to wrap your strings into a Trusted Type, like TrustedHTML, which the browser will then allow you to assign to the DOM.
  22. // Best case scenario: The site has no default policy set. This allows us to specify our own, in which we can then allow everything (pass-through); this will restore all ability to modify the DOM.
  23. // If we have to create a custom policy, all contents have to be piped through the relevant function of the TT Policy, like `TTP.createHTML("unsafe string contents")`, which will then return trusted contents.
  24.  
  25. const overwrite_default = false; // If a default policy already exists, it might be best not to overwrite it, but to try and set a custom policy and use it to manually generate trusted types. Try at your own risk
  26. const prefix = GM_info.script.name;
  27. var passThroughFunc = function(string, sink){
  28. 	return string; // Anything passing through this function will be returned without change
  29. }
  30. var TTPName = "passthrough";
  31. var TTP_default, TTP = {createHTML: passThroughFunc, createScript: passThroughFunc, createScriptURL: passThroughFunc}; // We can use TTP.createHTML for all our assignments even if we don't need or even have Trusted Types; this should make fallbacks and polyfills easy
  32. var needsTrustedHTML = false;
  33. function doit(){
  34. 	try{
  35. 		if(typeof window.isSecureContext !== 'undefined' && window.isSecureContext){
  36. 			if (window.trustedTypes && window.trustedTypes.createPolicy){
  37. 				needsTrustedHTML = true;
  38. 				if(trustedTypes.defaultPolicy){
  39. 					log("TT Default Policy exists");
  40. 					if(overwrite_default)
  41. 						TTP = window.trustedTypes.createPolicy("default", TTP);
  42. 					else
  43. 						TTP = window.trustedTypes.createPolicy(TTPName, TTP); // Is the default policy permissive enough? If it already exists, best not to overwrite it
  44. 					TTP_default = trustedTypes.defaultPolicy;
  45. 					
  46. 					log("Created custom passthrough policy, in case the default policy is too restrictive: Use Policy '" + TTPName + "' in var 'TTP':", TTP);
  47. 				}
  48. 				else{
  49. 					TTP_default = TTP = window.trustedTypes.createPolicy("default", TTP);
  50. 				}
  51. 				log("Trusted-Type Policies: TTP:", TTP, "TTP_default:", TTP_default);
  52. 			}
  53. 		}
  54. 	}catch(e){
  55. 		log(e);
  56. 	}
  57. }
  58.  
  59. function log(...args){
  60. 	if("undefined" != typeof(prefix) && !!prefix)
  61. 		args = [prefix + ":", ...args];
  62. 	if("undefined" != typeof(debugging) && !!debugging)
  63. 		args = [...args, new Error().stack.replace(/^\s*(Error|Stack trace):?\n/gi, "").replace(/^([^\n]*\n)/, "\n")];
  64. 	console.log(...args);
  65. }
  66.  
  67. doit();