Trusted-Types Helper

This is mainly to enable TamperMonkey to continue using scripts that have `@require` dependencies on sites with a restrictive `Trusted-Types` policy. At least until TM v4.14 comes out, the milestone has already been added: https://github.com/Tampermonkey/tampermonkey/issues/1334#event-5361683856 \n Make sure this script is executed before the `@require`ing of any dependencies

目前为 2021-09-28 提交的版本。查看 最新版本

  1. // ==UserScript==
  2. // @name		Trusted-Types Helper
  3. // @version		0.1.0
  4. // @description	This is mainly to enable TamperMonkey to continue using scripts that have `@require` dependencies on sites with a restrictive `Trusted-Types` policy. At least until TM v4.14 comes out, the milestone has already been added: https://github.com/Tampermonkey/tampermonkey/issues/1334#event-5361683856 \n Make sure this script is executed before the `@require`ing of any dependencies
  5. // @namespace	bp
  6. // @author		Benjamin Philipp <dev [at - please don't spam] benjamin-philipp.com>
  7. // @include		*
  8. // @run-at		document-start
  9. // @noframes
  10. // @grant		none
  11. // ==/UserScript==
  12.  
  13. // How to work with Trusted Types: https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API
  14.  
  15. // This is mainly to enable TamperMonkey to continue using scripts that have `@require` dependencies on sites with a restrictive `Trusted-Types` policy. At least until TM v4.14 comes out, the milestone has already been added: https://github.com/Tampermonkey/tampermonkey/issues/1334#event-5361683856
  16. // Make sure this script is executed before the `@require`ing of any dependencies
  17.  
  18. // Although TT is still an experimental feature, Google seems quite keen to enforce it already, albeit half-assedly, where supported. Ugh! >.<
  19. // Right now, Chrome (stable) doesn't allow appending of TrustedHTML like `element.innerHTML += someTrustedHTML`, but requires you to create an element first using trusted types for contents, which is a total PITA, and I don't mean bread. hopefully that'll change.
  20.  
  21. // This script provides pass-through policies to try to enable you to do what ever you want with the DOM, while trying not to disturb any defaults in place.
  22. // Basically, if you have to create your own Trusted Types (e.g. TrustedHTML), and if the site's CSP allows for the creation of new policies, you can use a permissive policy to wrap your strings into a Trusted Type, like TrustedHTML, which the browser will then allow you to assign to the DOM.
  23. // Best case scenario: The site has no default policy set. This allows us to specify our own, in which we can then allow everything (pass-through); this will restore all ability to modify the DOM.
  24. // If we have to create a custom policy, all contents have to be piped through the relevant function of the TT Policy, like `TTP.createHTML("unsafe string contents")`, which will then return trusted contents.
  25.  
  26. const overwrite_default = false; // If a default policy already exists, it might be best not to overwrite it, but to try and set a custom policy and use it to manually generate trusted types. Try at your own risk
  27. const prefix = GM_info.script.name;
  28. var passThroughFunc = function(string, sink){
  29. 	return string; // Anything passing through this function will be returned without change
  30. }
  31. var TTPName = "passthrough";
  32. var TTP_default = TTP = {createHTML: passThroughFunc, createScript: passThroughFunc, createScriptURL: passThroughFunc}; // We can use TTP.createHTML for all our assignments even if we don't need or even have Trusted Types; this should make fallbacks and polyfills easy
  33. var needsTrustedHTML = false;
  34. function doit(){
  35. 	try{
  36. 		if(typeof window.isSecureContext !== 'undefined' && window.isSecureContext){
  37. 			if (window.trustedTypes && window.trustedTypes.createPolicy){
  38. 				needsTrustedHTML = true;
  39. 				if(trustedTypes.defaultPolicy){
  40. 					log("TT Default Policy exists");
  41. 					if(overwrite_default)
  42. 						TTP = window.trustedTypes.createPolicy("default", TTP);
  43. 					else
  44. 						TTP = window.trustedTypes.createPolicy(TTPName, TTP); // Is the default policy permissive enough? If it already exists, best not to overwrite it
  45. 					TTP_default = trustedTypes.defaultPolicy;
  46. 					
  47. 					log("Created custom passthrough policy, in case the default policy is too restrictive: Use Policy '" + TTPName + "' in var 'TTP':", TTP);
  48. 				}
  49. 				else{
  50. 					TTP_default = TTP = window.trustedTypes.createPolicy("default", TTP);
  51. 				}
  52. 				log("Trusted-Type Policies: TTP:", TTP, "TTP_default:", TTP_default);
  53. 			}
  54. 		}
  55. 	}catch(e){
  56. 		log(e);
  57. 	}
  58. }
  59.  
  60. function log(...args){
  61. 	if("undefined" != typeof(prefix) && !!prefix)
  62. 		args = [prefix + ":", ...args];
  63. 	if("undefined" != typeof(debugging) && !!debugging)
  64. 		args = [...args, new Error().stack.replace(/^\s*(Error|Stack trace):?\n/gi, "").replace(/^([^\n]*\n)/, "\n")];
  65. 	console.log(...args);
  66. }
  67.  
  68. doit();