AdGuard extension is not compatible with websites that adopted Trusted Types

[tosmolka]

Issue Details

AdGuard extension is not fully compatible with websites that adopted Trusted Types. There was some initial work done in #1923 and https://github.com/AdguardTeam/AdguardBrowserExtension/commit/8270d903e58d2f5a2958601cb1f78a207e7b12d5 or https://github.com/AdguardTeam/sizzle-extcss/commit/14ab2e2c085d88fabc488d2c518c5f3c5253c4ed but I don't think the integration works as intended.

Duplicate Trusted Types policies

First, content-script-start.js bundle brings-in two Trusted Types policies:

• One named AGPolicy, I think from https://github.com/AdguardTeam/sizzle-extcss/blob/b71938b14bc77c896a64c6809d60debb7c97331a/src/sizzle.js#L1838
• One named AGPolicy-${nanoid()}, I think from https://github.com/AdguardTeam/AdguardBrowserExtension/blob/1077a7850200ec054762d898fe2a8c11b606ef2d/Extension/src/content-script/trusted-types-policy.js#L17

If a website uses trusted-types CSP directive to control allowed policy names and even wants to permit AdGuard to create custom TT policy, it can only allow the first one (AGPolicy). There is no support for * wildcards in policy name and website does not know ${nanoid()} in advance. I think both policies should be merged into one and the name should be static.

On-demand policy creation

Second, content script calls ./Extension/src/content-script/trusted-types-policy.js and tries to create Trusted Types policy literally on every page user visits, even if it's not needed. I think TT Policy should be created on demand, only when it's about to be used for the first time in AdGuard.

This is causing large numbers (millions per day) of unnecessary CSP violations from our websites.

Expected Behavior

1. There is only one Trusted Types policy in ADGuard's content script, named AGPolicy
2. ADGuard's content script creates Trusted Types policy on demand, only when needed

Actual Behavior

1. There are two Trusted Types policies in ADGuard's content script, AGPolicy and AGPolicy-${nanoid()}
2. ADGuard's content script creates Trusted Types policy every time it's loaded, even if it's not used

Screenshots

Visit any website that uses trusted-types directive:

[maximtop]

Thank you for opening this issue. We will take a look.

[tosmolka]

@maximtop , do you have an update regarding the issue? Any timelines for the fix? This is still affecting large number of our customers. Thank you.

[maximtop]

@tosmolka no timelines, for now, we are reworking a little bit background page of the extension now, and after that, we will fix this issue. I think that it would be within one or two next minor versions.

[tosmolka]

Hello @maximtop , just checking, any update since the last time? We would greatly appreciate if this could be picked up soon, issue still affects large number of our users. Thank you.

[maximtop]

@tosmolka we didn't finish the rework yet

[tosmolka]

Hello @maximtop , any update since the last time? Thank you.

[maximtop]

Hello @maximtop , any update since the last time? Thank you.

Hi! I just can say we are closer to the new version where this issue was taken into consideration.

[tosmolka]

Hello @maximtop , do you guys have any update regarding this issue? Any ETA? Thanks a lot.

[maximtop]

Hello @maximtop , do you guys have any update regarding this issue? Any ETA? Thanks a lot.

Hey, @tosmolka. Sorry for the significant delay. We've moved this issue up in priority and plan to release a fix for it in the 4.2 patch, which is slated for release next month.