AG-44375 Fix 'prevent-element-src-loading' — TrustedScriptURL is not defined in Firefox. #514

Squashed commit of the following:

commit 405af1e
Author: Adam Wróblewski <[email protected]>
Date:   Wed Jul 23 17:29:28 2025 +0200

    Re-add support for Trusted Types in `prevent-element-src-loading` scriptlet and tests

commit 4fd957b
Author: Adam Wróblewski <[email protected]>
Date:   Tue Jul 22 11:32:11 2025 +0200

    Fix `prevent-element-src-loading` scriptlet

Author: AdamWr

CHANGELOG.md

@@ -10,6 +10,15 @@ The format is based on [Keep a Changelog], and this project adheres to [Semantic
 <!-- TODO: change `@added unknown` tag due to the actual version -->
 <!--       during new scriptlets or redirects releasing -->
 
+## [Unreleased]
+
+### Fixed
+
+- issue with `TrustedScriptURL` in `prevent-element-src-loading` scriptlet [#514].
+
+[Unreleased]: https://github.com/AdguardTeam/Scriptlets/compare/v2.2.8...HEAD
+[#514]: https://github.com/AdguardTeam/Scriptlets/issues/514
+
 ## [v2.2.8] - 2025-07-08
 
 ### Added
@@ -24,7 +33,7 @@ The format is based on [Keep a Changelog], and this project adheres to [Semantic
 
 - `trusted-set-cookie-reload` scriptlet infinite page reloading when cookie with time keyword is used [#489].
 
-[v2.2.8]: https://github.com/AdguardTeam/Scriptlets/compare/v2.2.8...HEAD
+[v2.2.8]: https://github.com/AdguardTeam/Scriptlets/compare/v2.2.7...v2.2.8
 [#489]: https://github.com/AdguardTeam/Scriptlets/issues/489
 
 <!-- v2.2.6 is the same as v2.2.7 -->

src/scriptlets/prevent-element-src-loading.js

@@ -131,15 +131,20 @@ export function preventElementSrcLoading(source, tagName, match) {
                 return true;
             }
 
-            // eslint-disable-next-line no-undef
-            if (policy && urlValue instanceof TrustedScriptURL) {
-                const trustedSrc = policy.createScriptURL(urlValue);
-                origSrcDescriptor.set.call(this, trustedSrc);
-                hit(source);
-                return;
+            let mockData = srcMockData[nodeName];
+
+            // If setting value is TrustedScriptURL - we also should set TrustedScriptURL to not violate trusted types
+            if (
+                typeof TrustedScriptURL !== 'undefined'
+                && policy?.isSupported
+                // eslint-disable-next-line no-undef
+                && urlValue instanceof TrustedScriptURL
+            ) {
+                mockData = policy.createScriptURL(mockData);
             }
+
             setMatchedAttribute(this);
-            origSrcDescriptor.set.call(this, srcMockData[nodeName]);
+            origSrcDescriptor.set.call(this, mockData);
             hit(source);
         },
     });

tests/scriptlets/prevent-element-src-loading.test.js

@@ -4,6 +4,8 @@ import { runScriptlet, clearGlobalProps } from '../helpers';
 const { test, module } = QUnit;
 const name = 'prevent-element-src-loading';
 
+const nativeTrustedScriptURL = window.TrustedScriptURL;
+
 const beforeEach = () => {
     window.__debug = () => {
         window.hit = 'FIRED';
@@ -14,6 +16,7 @@ const afterEach = () => {
     if (window.elem) {
         window.elem.remove();
     }
+    window.TrustedScriptURL = nativeTrustedScriptURL;
     clearGlobalProps('hit', '__debug', 'elem', 'scriptLoaded', 'scriptBlocked');
 };
 
@@ -25,14 +28,21 @@ const ONERROR_PROP = 'onerrorProp';
 const ERROR_LISTENER = 'addErrorListener';
 
 // Create tag using combination of different methods
-const createTestTag = (assert, nodeName, url, srcMethod, onerrorMethod) => {
+const createTestTag = (assert, nodeName, url, srcMethod, onerrorMethod, useTrustedTypes = false) => {
     const done = assert.async();
     const node = document.createElement(nodeName);
 
+    let policy;
+    if (useTrustedTypes && window.trustedTypes) {
+        policy = window.trustedTypes.createPolicy('default', {
+            createScriptURL: (url) => url,
+        });
+    }
+
     // Set url with .src or .setAttribute
     switch (srcMethod) {
         case SET_SRC_PROP: {
-            node.src = url;
+            node.src = policy ? policy.createScriptURL(url) : url;
             break;
         }
         case SET_SRC_ATTRIBUTE: {
@@ -424,3 +434,37 @@ test('onerror inline, do not match source', (assert) => {
     // and window.hit should not be fired
     onErrorTestTag(assert, SOURCE_PATH, testPassed, shouldLoad);
 });
+
+test('src prop, matching script element (no TrustedScriptURL)', (assert) => {
+    window.TrustedScriptURL = undefined; // Simulate no TrustedScriptURL support
+    const SOURCE_PATH = `${TEST_FILES_DIR}${TEST_SCRIPT01_FILENAME}`;
+    const scriptletArgs = [SCRIPT_TARGET_NODE, TEST_SCRIPT01_FILENAME];
+    runScriptlet(name, scriptletArgs);
+
+    var elem = createTestTag(
+        assert,
+        SCRIPT_TARGET_NODE,
+        SOURCE_PATH,
+        SET_SRC_PROP,
+        ONERROR_PROP,
+    );
+    assert.strictEqual(elem.src, srcMockData[SCRIPT_TARGET_NODE], 'src was mocked');
+    assert.strictEqual(window.hit, 'FIRED', 'hit fired');
+});
+
+test('src prop, matching script element TrustedTypes', (assert) => {
+    const SOURCE_PATH = `${TEST_FILES_DIR}${TEST_SCRIPT01_FILENAME}`;
+    const scriptletArgs = [SCRIPT_TARGET_NODE, TEST_SCRIPT01_FILENAME];
+    runScriptlet(name, scriptletArgs);
+
+    var elem = createTestTag(
+        assert,
+        SCRIPT_TARGET_NODE,
+        SOURCE_PATH,
+        SET_SRC_PROP,
+        ONERROR_PROP,
+        true,
+    );
+    assert.strictEqual(elem.src, srcMockData[SCRIPT_TARGET_NODE], 'src was mocked');
+    assert.strictEqual(window.hit, 'FIRED', 'hit fired');
+});