Scriptlets icon indicating copy to clipboard operation
Scriptlets copied to clipboard
verified publisher icon AdguardTeam

Improve 'trusted-replace-xhr-response' and 'prevent-xhr' — randomise thisArg.shouldBePrevented

Open AdamWr opened this issue 2 years ago • 0 comments

Currently it's too easy to disable trusted-replace-xhr-response and prevent-xhr by adding <xhr>.shouldBePrevented = false;

Steps to reproduce:

  1. Add this rule:
example.org#%#//scriptlet('trusted-replace-xhr-response', '*', 'TEST', '/')
  1. Go to - https://example.org/
  2. In browser console run:
(() => {
  function reqListener() {
    alert(this.responseText);
  }
  const xhr = new XMLHttpRequest();
  xhr.addEventListener("load", reqListener);
  xhr.open("GET", "/");
  xhr.shouldBePrevented = false;
  xhr.send();
})();

If scriptlet works correctly there should be an alert with TEST message, but xhr.shouldBePrevented = false; disables scriptlet and content is not replaced.

I guess that adding random part to: https://github.com/AdguardTeam/Scriptlets/blob/bad388d94ab265ffd61d23b26a8637721fabfc1e/src/scriptlets/trusted-replace-xhr-response.js#L123 something like thisArg.shouldBePrevented_<random> should fixes it.

AdamWr avatar Dec 08 '23 16:12 AdamWr