Is it possible to defuse tumblr.com click events?

[wavygecko]

I'm trying to defuse click events on tumblr.com but for some reason it doesn't seem to be working.

In devtools I see the click event I want to defuse:

But tumblr.com##+js(aeld, click) does nothing and tumblr.com##+js(aell) shows no console logs.

Any idea what I'm doing wrong?

re: DandelionSprout/adfilt#642

[gorhill]

In Firefox, uBO's injected scriptlets are affected by a page's current CSP, and tumblr.com forbids inline scripts, which prevents uBO's injected scriptlet from being executed.

[wavygecko]

Does Chrome have less strict CSP enforcement?

[gorhill]

It seems Chromium properly exclude extension-injected inline scripts. Extensions extend browser capabilities, so it makes sense that they are not restricted by webpages.

[MasterKia]

@gorhill You said:

I don't plan to have uBO lower CSP rules set by a site. In my opinion, being able to inject a surrogate scriptlet is less important than not relaxing existing CSP ruleset.

Does this mean sites can trivially gain protection against uBO's +js rules in Firefox?
With the rise of MV3 more users would switch from Chromium to Firefox.

[gorhill]

I need to investigate what can be done with Firefox, there might be a way. Also I am pretty sure there is an open issue in bugzilla about this, which I do not have the time to try to find now.

[MasterKia]

I am pretty sure there is an open issue in bugzilla about this

A 6 years old one:
https://bugzilla.mozilla.org/show_bug.cgi?id=1267027

[gorhill]

Turns out it's possible to bypass a page's CSP, see uBlockOrigin/uBlock-issues#235 (comment). Should be solved in 1.45.3b14+.