Skip to content

Resources Library

D4niloMR edited this page Dec 21, 2024 · 305 revisions

Available general purpose scriptlets


Available defuser scriptlets


Available empty redirect resources

  • 1x1.gif
  • 2x2.png
  • 3x2.png
  • 32x32.png
  • noop.css
  • noop.html (noopframe)
  • noop.js
  • noop.json1.53.5rc11
  • noop.txt
  • noop-0.1s.mp3
  • noop-0.5s.mp3
  • noop-1s.mp4
  • noop-vast2.xml 1.59.1b6
  • noop-vast3.xml 1.59.1b6
  • noop-vast4.xml 1.59.1b6
  • noop-vmap1.xml 1.33
  • none
  • click2load.html

Available URL-specific sanitized redirect resources (surrogates)


General purpose scriptlets

  • Most scriptlet relies on Object properties (methods), altering them may not be the best idea (you should know what you are doing).
  • Some properties related more to browser APIs rather than JS language built-ins can behave in unexpected way. For example browser can override them without scriptlet noticing this. Keep this in mind when using them in scriptlet injection filers.
  • "Optional" for "string/regular expression" parameter defaults to "catch all" (/.?/) if not specified.
  • "String" parameter means plain character(s)/word(s), quotes will be taken literally, commas must be escaped in regex literals: /foo\x2cbar\u002cbaz/, after 1.22.0 commas can be escaped by backslash character (foo\,bar).
  • "Regular expression" parameter means JavaScript regular expression literal.
  • Mime type is application/javascript if not present.
  • You can use the short alias form when available for scriptlet name.
  • You should omit the .js from the scriptlet name in scriptlet injection filters (eventually in some future this will be the official way to do this).
    • Do not skip .js when the scriptlet is used with redirect=, only when used in +js(...).
  • Crossed out resources are deprecated/removed.
  • Starting with 1.46.1b17 support for regex-based values as target domain has been added. Use sparingly, when no other solution is practical from a maintenance point of view -- keeping in mind that uBO has to iterate through all the regex-based values, unlike plain hostname or entity-based values which are mere lookups. Related discussion: uBlockOrigin/uBlock-issues#2234. Example: /img[a-z]{3,5}\.buzz/##+js(nowoif).
  • The usage of named arguments is optional, positional arguments are still supported as documented. Named arguments is required to use "log" and/or "debug" arguments.
  • The logging/debugging capabilities work only in the dev build of uBO or if the advanced setting filterAuthorMode is set to true.
  • Starting with 1.57.3b1, the old method of displaying scriptlets's logs in browser's dev console and via (log, 1) tokens is deprecated:
    • now all scriptlets's logging output is automatically displayed in the logger & the logger's console pane.
    • in the logger, toggling labels info and error in filter input field can be used to reduce information displayed in the logger to informations and errors, including scriptlets, and with additional not operator selected, the opposite effect can be achieved.
    • in the logger's console pane, toggling additionally verbose mode button, will cause console pane to print more logs from scriptlets.
    • by default, scriptlets will print out only calls and informations related to their orders and targets,
      to log all calls without defusing any of them, a scriptlet without parameters can be used, example: wikipedia.org##+js(aeld)
    • related discussions: uBlockOrigin/uAssets/discussions/17907 and uBlockOrigin/uBlock-issues/discussions/3096
  • The only filter lists deemed from a "trusted source" are uBO-specific filter lists (i.e. "uBlock filters -- ..."). The user's own filters from "My filters" are trusted only in the dev build of uBO. This behaviour can be overridden with the advanced setting trustedListPrefixes.
  • Tokens are parameters which modify the behavior of a scriptlet, they must be used after the required and optional parameters.

abort-current-script.js

acs.js /

abort-current-inline-script.js /

acis.js

Aborts execution of inline script (throws ReferenceError) when attempts to access specified property when text content or src attribute value (new in 1.37.0) of <script> element matches specified text or regular expression.

Note that acis.js and abort-current-inline-script.js aliases are deprecated and can be removed in the future.

Parameters:

  • required, property (chain of properties joined by .) attached to window object accessed inside <script> tag we want to break
  • optional, string/regular expression matching in <script> element content
  • optional, new in 1.37.0, string/regular expression matching in the decoded value of the src attribute of the <script> tag, when the attribute content is not a remote network address, but the actual inline script URL-encoded or base64-endcoded as a data: URI

Examples:

  • weristdeinfreund.de##+js(acis, Number.isNaN)
  • tichyseinblick.de##+js(acis, Math, /\}\s*\(.*?\b(self|this|window)\b.*?\)/)

Starting with 1.48.5b4, you can use the logging abilites. (deprecated)
(read about the new method of logging scriptlets)

Tokens:

  • log, 1: output useful information at the dev console. (deprecated)
  • debug, 1: break at key locations in the scriptlet.

Also see:


abort-on-property-read.js

aopr.js

Aborts execution of script (throws ReferenceError) when attempts to read specified property. Writes are ignored.

Parameters:

  • required, property (chain of properties joined by .) attached to window object

Examples:

  • tagesspiegel.de##+js(aopr, Notification)

Also see:


abort-on-property-write.js

aopw.js

Aborts execution of script (throws ReferenceError) when attempts to write specified property.

Parameters:

  • required, property (chain of properties joined by .) attached to window object that will be overwritten

Examples:

  • yggtorrent.*##+js(aopw, Fingerprint2)

Also see:


abort-on-stack-trace.js

aost.js

Experimental, under development

New in 1.29.3rc9

Aborts execution of script (throws ReferenceError) when attempts to access specified property when stack trace matches specified text or regular expression. Internal discussion

Parameters:

  • required, property (chain of properties joined by .) to trap in order to launch the stack trace matching code, ex. Math.random
  • optional, string/regular expression, the needle to match against the stack trace. If the empty string, only log. Prepend pattern with ! to test for unmatched patterns in stack trace (New in 1.51.1b6)

Tokens:

  • "log":
    • all: log stack trace for all access to trapped property
    • match: log stack trace for defused access to trapped property
    • nomatch: log stack trace for non-defused access to trapped property

Stack trace is normalized, but there still can be differences (Chromium vs Firefox) because of different format of stack trace.

There is a special string which can be used to match inline script context - inlineScript.

Though the stack trace is rendered in the console using new line to separate the stack trace lines, internally \t is used. The reason is to be more easily be able to create regex-based needle when using regex . character class.

The stack trace is prepended with stackDepth:... in order to allow to filter on stack depth, however higher depth values can likely differ between Chromium and Firefox.

Firefox often reports injectedScript, attempt has been made to convert entries in Chromium which seems to correspond to this, so that both browser families will report injectedScript.

The column value is normalized to 1, however there is too much discrepancy between browser families for that value to be of any use.

Filtering according to reported line numbers (...:1234:1), will not be reliable for inline scripts, since the line at which those inline scripts are located will vary from one page to another. It should be reliable for when the stack trace entry is for code in a JS file.

Also see:


addEventListener-defuser.js

aeld.js /

prevent-addEventListener.js

Prevents attaching event listeners.

Parameters (when using positional arguments):

  • optional, string/regular expression, name of the event listener to defuse
  • optional, string/regular expression matching in stringified handler function, narrows down defusing to specific handler

Examples:

  • vev.io##+js(aeld, adb.updated)
  • newser.com##+js(aeld, load, Object)
  • vivo.sx##+js(aeld, , preventDefault)
  • vidto.me##+js(aeld, /^(?:click|mousedown|mousemove|touchstart|touchend|touchmove)$/, system.popunder)

Tokens:

  • "runAt": when this parameter is present, uBO will take it into account to possibly defer defusing the event listener (New in 1.49.3b4):
    • end: execute scriptlet at DOMContentLoaded event ("interactive")
    • idle: execute scriptlet at load event ("complete")
  • "elements": if present, will be used to apply the scriptlet to only elements matching the selector (New in 1.55.1b1)
    • must be a valid CSS selector (also window and document elements can be used as a selector (New in 1.58.1b5))
  • "debug": an integer value telling when to break into the debugger, useful to inspect the debugger's call stack.
    • 1: break into the debugger when both type and pattern match, so effectively when defusing is taking place.
    • 2: break into the debugger when either type or pattern matches.
● "log": (deprecated)

▬▬► SPOILER START ◄▬▬

  • "log": an integer value telling when to log (see uBlockOrigin/uAssets#17907):
    • 1: log only when both type and pattern matches, i.e. when a call to addEventListener() is defused
    • 2: log when either the type or pattern matches
    • 3: log all calls to addEventListener()

Examples:

  • wikipedia.org##+js(aeld, /mouse/, /.^/, log, 2)
  • wikipedia.org##+js(aeld, , /.^/, log, 2)
  • wikipedia.org##+js(aeld, , , log, 1)
  • wikipedia.org##+js(aeld, _, , log, 3)

The first filter will log calls to addEventListener() which have the pattern "mouse" in the event type (so "mouseover", "mouseout", etc.) without defusing any of them (because pattern can't match anything).

The second filter will log all calls without defusing any of them (because type can't match anything).

The third filter will log and defuse all calls to addEventListener()

The fourth filter will log all calls to addEventListener() without defusing any of them

▬▬► SPOILER END ◄▬▬

(read about the new method of logging scriptlets)

Examples:

  • jpvhub.com##+js(aeld, click, popMagic, runAt, idle)
  • subkade.ir##+js(aeld, click, return"undefined", elements, a.indirect)
  • wikipedia.org##+js(aeld)

The third filter will log all calls to addEventListener() without defusing any of them

Also see:


aell.js /

addEventListener-logger.js

Removed in 1.48.1b3.

Logs to the console event listeners created on page.

The logging or debugging of addEventListener() calls can now be done with the addEventListenerDefuser scriptlet, which now supports named arguments.

Also see:


remove-cookie.js

cookie-remover.js

Removes current page cookies specified by name. For current domain, wildcard (dot) subdomain(s), after 1.28.0 also for domain one level above www, current and / path, script accessible (HttpOnly=false), on load and before unload.

Caveats: cookies set for higher level domain will not be removed. For example, if current page domain is page.example.com, cookies set for example.com will not be removed. One exception is www subdomain, which will work after 1.28.0.

Parameters:

  • optional, string/regular expression, matching in the name of the cookie

Tokens:

  • "when": when this parameter is present, it adds ability to trigger cookie removal on specific events (with delay 500ms):
    • when "when" is not present: executes on page load and before unload
    • scroll: executes when scrolling page (since 1.53.5rc3)
    • keydown: executes when key pressed (since 1.53.5rc4)

Examples:

Also see:


csp.js

Removed. Deprecated by $csp network filter option.
Applies content security policy by inserting <meta http-equiv=Content-Security-Policy content="*directive*"> tag to html <head> element. Read more at https://www.w3.org/TR/CSP2/#delivery-html-meta-element
Content Security Policy Quick Reference Guide

Parameters:

  • required, valid Content Security Policy directive

call-nothrow.js

New in 1.48.1b0.

Prevents a call to an existing function from throwing an exception. It encloses existing functions in this block and ignores the exception:

try {
 [existing function]
}
catch() {
 [ignore when throws]
}

It will return undefined because returning variable is never set.

The exception will be caught by the scriptlet and neutralized. The first argument must be a reference to a function call. At the moment, the function call must exist at the time the scriptlet is called.

Parameters:

  • required, a reference to a function call

Examples:

  • example.com##+js(call-nothrow, Object.defineProperty)

Also see:


disable-newtab-links.js

Prevents creating new tabs/windows by deactivating links with target attribute.

Parameters:

  • none

Examples:

  • there.to##+js(disable-newtab-links)

To prevent new tabs/windows by specifying the location URL, see: window-close-if.js

Also see:


evaldata-prune.js

New in 1.49.3rc15

Intercepts calls to eval() and will work only if what is passed to eval can be parsed as JSON.

For parameters, see: json-prune

When no "prune paths" argument (first parameter) is provided, the scriptlet is used for logging purpose and the "needle paths" argument (second parameter) is used to filter logging output.

Examples:

  • m.nivod4.tv##+js(evaldata-prune, entity.commercial)

Also see:


object-prune.js * (fn)

New in 1.51.1b14 * (fn)

[Documentation to be completed]


trusted-prune-inbound-object.js

Trusted scriptlet

New in 1.52.3rc0

To perform object pruning for any given call which has an object as argument (hence "inbound").

Parameters:

  • required, the name of the property to trap. Must be a function, and must exist when the scriptlet tries to install the trap.
  • required, the position of the object to prune in the argument list when the trapped function is called. The position is 1-based and must be an integer greater than 0.
  • required, the properties to prune (as with json-prune)
  • optional, the properties which must all be present for pruning to occur (as with json-prune)

Varargs:

  • dontOverwrite, 1: do not modify the target inbound object.
  • stackToMatch: string or regular expression that must match the current function call stack trace. Prepend pattern with ! to test for unmatched patterns in stack trace.

Examples:

  1. Remove title and name properties before passing the object to JSON.stringify call:

    example.org##+js(trusted-prune-inbound-object, JSON.stringify, 1, title name)
  2. Remove status property before passing the object to Object.keys call but do not modify caller's instance of the object:

    example.org##+js(trusted-prune-inbound-object, Object.keys, 1, status, , dontOverwrite, 1)

Also see:


trusted-prune-outbound-object.js

Trusted scriptlet

New in 1.52.3rc3

Essentially a complement of trusted-prune-inbound-object added in 1.52.3rc0

To perform object pruning on any object returned synchronously by any given call.

Parameters:

  • required, the name of the property to trap. Must be a function, and must exist when the scriptlet tries to install the trap.
  • required, the properties to prune (as with json-prune)
  • optional, the properties which must all be present for pruning to occur (as with json-prune)

The scriptlets json-prune and evaldata-prune essentially perform the same function, and will eventually be rewritten to internally delegate to generic trusted-prune-outbound-object.


json-prune.js

New in 1.23.0

Intercepts calls to JSON.parse() and Response.json()New in 1.31.0. If the result of the parsing is an Object, remove specified properties from the result before returning to the caller.

Parameters:

  • optional, string, a list of space-separated properties to remove
  • optional,
    • string, a list of space-separated properties which must be all present for the pruning to occur; OR
    • string/regular expression, for logging purposes, matching in stringified JSON payloads (New in 1.27.0)
  • optional, string or regular expression that must match the current function call stack trace (New in 1.51.1b5). Prepend pattern with ! to test for unmatched patterns in stack trace (New in 1.51.1b6)

A property in a list of properties can be a chain of properties, example: adpath.url.first.

After 1.28.0, two special "wildcard tokens" have been added:

  • []: iterate in all elements in an array. To deal with cases where the property to remove is an element in an array. To remove adserver object properties from array in following JSON payload:

      {"playlist": [{"adserver": "first"},{"adserver": "second"}]}
    

    Use:

      +js(json-prune, playlist.[].adserver)
    
  • *: iterate through all own properties of an object. For example, to deal with hard to predict random-named properties. To remove adserver object properties from inside randomly named objects in following JSON payload:

      {"playlist": {"random1": {"adserver": "first"}, "randomB": {"adserver": "second"}}}
    

    Use:

     +js(json-prune, playlist.*.adserver)
    

Version 1.57.0 extend syntax with two special token properties:

  • [-]: remove an array entry if part right of [-] matches the inspected item.
  • {-}: remove a property if part right of {-} matches the inspected item.

When used without parameters, will log current hostname + json payload to the logger.
New in 1.27.0 - second parameter can be used to limit logging to JSON payloads which stringified content match specified string or regular expression.

Tokens:

  • log, ...: This extends logging capabilities of json-prune scriptlet as follows: ...##+js(json-prune, a, b, stackNeedle, log, [logneedle], logstack, 1). Whereas before, the only way to log json-prune usage was to skip providing the property chain: ...##+js(json-prune, , b) Where b was the expression to filter out logging output. With the extended logging capabilities, the logging output can be filtered out with logneedle, which can be a regex literal. Additionally, to log the stack trace the stackNeedle argument must be set to non-empty string. You can use /.^/ to log the stack trace without matching it (New in 1.51.1b5).

Examples:

  • youthhealthmag.com##+js(json-prune, unit_list)
  • winfuture.de##+js(json-prune, adtagparameter, enabled)
  • imgsen.com##+js(json-prune, *, showTrkURL) - will remove everything when needle matches, new in 1.35

If the site uses eval in lieu of JSON.parse, see: evaldata-prune

Also see:


json-prune-fetch-response.js

New in 1.51.1rc1

Removes specified properties from the JSON response of a fetch call.

Syntax:

...##+js(json-prune-fetch-response, prune paths [, needle paths [, ...varargs ]])

For parameters, see: json-prune

Except that the stack parameter is treated as a vararg.

Tokens:

  • "propsToMatch": string of space-separated properties to match; possible props:
    • string or regular expression for matching the URL passed to fetch call;
    • colon-separated pairs name:value where
      • name is init option name
      • value is string or regular expression for matching the value of the option passed to fetch call.
  • "stackToMatch": string or regular expression that must match the current function call stack trace. Prepend pattern with ! to test for unmatched patterns in stack trace.

Examples:

tumblr.com##+js(json-prune-fetch-response, response.timeline.elements.[-].advertiserId, , propsToMatch, url:/api/v2/tabs/for_you)
nbc.com##+js(json-prune-fetch-response, avails, , propsToMatch, amazonaws.com)

Also see:


json-prune-xhr-response.js

New in 1.51.1rc3

Removes specified properties from the JSON response of a XMLHttpRequest call.

For usage, see: json-prune-fetch-response

Example:

www.facebook.com##+js(json-prune-xhr-response, data.viewer.instream_video_ads data.scrubber, , propsToMatch, /api/graphql)

Also see:


xml-prune.js

Removes an element from the specified XML retrieved using fetch, xhr support was added in 1.49.3rc6.

New in 1.44.5b3

After 1.49.3rc16, it can also remove attributes.

Parameters:

  • required, a selector of elements or xpath of elements/attributes (New in 1.49.3rc16) which are to be removed.
  • optional, a selector or xpath (New in 1.49.3rc15 that must have a match in the document for the pruning to occur. No selector means the pruning can be performed regardless.
  • optional, a URL which must be a match for the pruning to occur. If left blank, the pruning can be performed regardless.

Tokens:

  • log, 1 (deprecated, read about the new method of logging scriptlets)
  • logdoc, 1: Dumps the whole document being worked on to the logger

Examples:

  • cbs.com##+js(xml-prune, Period[id*="-roll-"][id*="-ad-"], , pubads.g.doubleclick.net/ondemand)
  • play.max.com##+js(xml-prune, xpath(//*[name()="Period"][not(.//*[name()="SegmentTimeline"])]), , .mpd)
  • example.com##+js(xml-prune, xpath(//*[name()="MPD"]/@mediaPresentationDuration), , .mpd, log, 1)

Also see:


m3u-prune.js

New in 1.44.5b6

Sometimes sites serve real video content and video ads all in one place inside .m3u8 files. You can use m3u-prune to remove those ad segments.

Examples:

  • player.theplatform.com##+js(m3u-prune, tvessaiprod.nbcuni.com, /theplatform\.com\/.*?\.m3u8/)
  • mephimtv.cc##+js(m3u-prune, /#EXT-X-DISCONTINUITY(.|\n){1\,100}#EXT-X-DISCONTINUITY/gm, mixed.m3u8)

If the first argument is a regex with multine flag set, the scriptlet will execute the regex against the whole text, and remove matching text from the whole text (New in 1.47.5b10).

If the matching text does not contain whole lines, the text won't be removed, i.e. it is not allowed to remove only part of a line.

Also see:


noeval.js

Prevent web pages from using eval(), and report attempts to the logger. This should not be used as a generic filter due to the fact that it breaks many websites, including those using Cloudflare's DDoS protection.

Examples:

  • solowarez.org##+js(noeval)

Also see:


noeval-silent.js /

silent-noeval.js

Prevent web pages from using eval().


noeval-if.js

prevent-eval-if.js

Prevent web pages from using eval() on specific matching payloads.

Parameters:

  • optional, string/regular expression, matching in payload string.

Examples:

  • orgyxxxhub.com##+js(noeval-if, replace)

no-floc.js

Obsolete: FLoC ended its experiment in July of 2021.

New in 1.35.0.

Defuses Google FLoC ("Federated Learning of Cohorts") tracking. Read more on https://amifloced.org/

uBlock Origin (uBO) ensures FLoC is opt-in. The generic filter *##+js(no-floc) in "uBlock filters -- Privacy" ensures the feature is disabled when using default settings/lists.

Users can opt-in to FLoC by adding a generic exception filter to their custom filters, #@#+js(no-floc); or they can opt-in only for a specific set of websites through a more specific exception filter:

example.com,shopping.example#@#+js(no-floc)

Solves uBlockOrigin/uBlock-issues#1553.


prevent-fetch.js

no-fetch-if.js

New in 1.31.3b9.

Defuses calls to fetch() by returning a promise which always resolve to an empty response.

Parameters:

  • optional, space-separated list of conditions which must be ALL fulfilled in order for the defusing to take place:
    • string/regular expression, prefixed by ! for negation (new in 1.59.1b13), matching in URL passed to fetch() call
    • colon-separated name:value pairs of init option name and string/regular expression matching in value of that option passed to fetch() call.
  • optional, directive; arguments to define the response body:
    • true to randomize the response, random 10-character string 1.51.1b15
    • emptyObj to return the response value as empty object 1.54.1rc2
    • emptyArr to return the response value as empty array 1.54.1rc2
    • emptyStr to return the response value as empty string 1.54.1rc2
    • length:min[-max] to fulfill the response with randomized text with length specified, limited to 500000 characters 1.54.1b1
    • war:[name of resource] to fulfill the response with the content of a web_accessible_resources resource 1.54.1b1
  • optional, (new in 1.58.1rc4), string for defining response type / JSON string with properties to set on the returned response instance, original response type is used if not specified:
    • ok, supported values: false, true
    • type, supported values: "basic", "cors", "default", "error", "opaque"
    • statusText, supported values: "", "Not Found". defaults to "OK" when not overridden. 1.58.1rc5

When used without parameters, the parameters passed to no-fetch-if will be logged to the logger.

Examples:

example.com##+js(no-fetch-if, method:HEAD)
example.com##+js(no-fetch-if, adsbygoogle.js)
example.com##+js(no-fetch-if, !negatedValue)
example.com##+js(no-fetch-if, adsbygoogle.js method:HEAD)
example.com##+js(no-fetch-if, /adsbygoogle.js$/ method:/HEAD|POST/)
example.com##+js(no-fetch-if, adsbygoogle.js, length:11000)
example.com##+js(no-fetch-if, adsbygoogle.js, war:googlesyndication_adsbygoogle.js)
example.com##+js(no-fetch-if, doubleclick, , '{"type": "opaque"}')

See also:


trusted-replace-xhr-response.js

Trusted scriptlet

New in 1.51.1rc3

Replaces response text content of xhr requests if all given parameters match.

For usage, see: trusted-replace-fetch-response

Example:

  • in-jpn.com##+js(trusted-replace-xhr-response, /.*/, , pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?)

Also see:


trusted-replace-fetch-response.js

trusted-rpfr.js

Trusted scriptlet

New in 1.51.1b8.

Replaces response text content of fetch requests if all given parameters match.

Parameters:

  • required, argument for matching contents of responseText that should be replaced. Possible values:
    • *: match all text content
    • non-empty string
    • regular expression
  • optional, should be set if first parameter is set. String to replace the response text content matched by pattern. Empty string to remove content. Defaults to empty string.
  • optional, string of space-separated properties to match; possible props:
    • string or regular expression for matching the URL passed to fetch call; empty string, wildcard * will match all fetch calls
    • colon-separated pairs name:value where:
      • name is init option name
      • value is string or regular expression for matching the value of the option passed to fetch call

Tokens:

  • includes, pattern: replace only if pattern match in the text response. Can be a plain string or a regex. 1.58.1b6

Scriptlet does nothing if response body can't be converted to text.

Solves uBlockOrigin/uBlock-issues#2742.

Examples:

  • example.com##+js(trusted-replace-fetch-response, adb_detect:true, adb_detect:false, example.com)
  • example.com##+js(trusted-replace-fetch-response, /#EXT-X-VMAP-AD-BREAK[\s\S]*?/, #EXT-X-ENDLIST, example.com)
  • example.com##+js(trusted-replace-fetch-response, *, , 'method:GET')
  • example.com##+js(trusted-replace-fetch-response, /#EXT-X-VMAP-AD-BREAK[\s\S]*?/, #EXT-X-ENDLIST, '/\.m3u8/ method:/GET|HEAD/')
  • example.com##+js(trusted-replace-fetch-response, *, , another_domain.com)

Also see:


trusted-replace-argument.js

Trusted scriptlet

New in 1.55.1b18

Replace an argument passed to a method.

Syntax:

  • [...]##+js(trusted-replace-argument, propChain, argposRaw, argraw [,condition, pattern])

Parameters:

  • required, propChain: The property chain to the function which argument must be replaced when called.
  • required, argposRaw: The zero-based position of the argument in the argument list. Use a negative number for a position relative to the last argument. Use literal this to replace the value used in prototype-based methods.
  • required, argraw: The replacement value, validated using the same heuristic as with the set-constant.js scriptlet.
    • If the replacement value matches json:..., the value will be the json-parsed string after json:
    • If the replacement value matches repl:/.../.../, the target argument will be replaced according the regex-replacement directive following repl: 1.61.3b1

If argposRaw parameter is not declared, the scriptlet will log all calls to propChain along with the arguments passed and will not replace the argument passed to the trapped method.

Tokens:

  • condition, pattern: The replacement will occur only when pattern matches the target argument.

Examples of usage:

  • alliptvlinks.com##+js(trusted-replace-argument, MutationObserver, 0, noopFunc)
  • scimagojr.com##+js(trusted-replace-argument, document.querySelector, 0, json:"body", condition, .ad-zone)
  • example.com##+js(trusted-replace-argument, String.prototype.split, this, repl:/&ads=1/&ads=0/, condition, ads_enabled=true)
    • For illustration, this filter will intercept String.prototype.split method and regex-replace the string before the string is split, see example below.
      • var config = "ads_enabled=true&ads=1";
        config.split("&");
        // &ads=1 will be replaced with &ads=0
        

prevent-requestAnimationFrame.js

no-requestAnimationFrame-if.js /

norafif.js

New in 1.27.0.

Defuses calls to requestAnimationFrame() function when parameter:

  • is not prefixed with ! and matches the stringified callback argument to requestAnimationFrame(); OR
  • is prefixed with ! and does not match the stringified callback argument to requestAnimationFrame().

Parameters:

  • optional, string/regular expression, matching in the stringified callback argument passed to requestAnimationFrame.

Use with /^/ parameter to defuse all calls unconditionally.

When used without parameters, will log calls to requestAnimationFrame() to the logger.

Examples:

  • bloomberg.com##+js(norafif, paywall-inline-tout)

Also see:


prevent-setInterval.js

no-setInterval-if.js /

nosiif.js /

setInterval-defuser.js

New in 1.23.0

Defuses calls to setInterval() function when parameters:

  • are not prefixed with ! and match the setInterval() argument; OR
  • are prefixed with ! and do not match the setInterval() argument.

Parameters:

  • optional, string/regular expression, matching in stringified callback function
  • optional, a value to match against the delay. Can be a single value for exact match, or a range:
    • min-max: matches if delay >= min and delay <= max
    • min-: matches if delay >= min
    • -max: matches if delay <= max

Use with /^/ parameter to defuse all calls unconditionally.

When used without parameters, will log calls to setInterval() to the logger.

Examples:

  • jpidols.tv##+js(nosiif)
  • finanzen.*##+js(nosiif, nrWrapper)
  • yachtrevue.at##+js(nosiif, text/css, 10)

Also see:


prevent-setTimeout.js

no-setTimeout-if.js /

nostif.js /

setTimeout-defuser.js

New in 1.23.0

Defuses calls to setTimeout() function when parameters:

  • are not prefixed with ! and match the setTimeout() argument; OR
  • are prefixed with ! and do not match the setTimeout() argument.

Parameters:

  • optional, string/regular expression, matching in stringified callback function
  • optional, a value to match against the delay. Can be a single value for exact match, or a range:
    • min-max: matches if delay >= min and delay <= max
    • min-: matches if delay >= min
    • -max: matches if delay <= max

Use with /^/ parameter to defuse all calls unconditionally.

When used without parameters, will log calls to setTimeout() to the logger.

Test page: https://gorhill.github.io/uBlock/tests/scriptlet-injection-filters-1.html

Examples:

  • computerbild.de##+js(nostif, ())return)
  • lablue.*##+js(nostif, push, 500)

In 1.31.3b11 aliased as setTimeout-defuser.js for backward compatibility.

Also see:


nowebrtc.js

Disables WebRTC by preventing web pages from using RTCPeerConnection(). Report attempts in console.

Examples:

  • x1337x.*##+js(nowebrtc)

Also see:


prevent-xhr.js

no-xhr-if.js

New in 1.38.0.

Defuses XMLHttpRequest network requests by returning empty response. Based on no-fetch-if.js.

Parameters:

  • optional, space-separated list of conditions which must be ALL fulfilled in order for the defusing to take place:
    • string/regular expression, prefixed by ! for negation, matching in URL passed to XMLHttpRequest open() call
    • colon-separated name:value pairs of XMLHttpRequest method open() parameter names (only method and url currently supported) and string/regular expression matching in value of passed argument.
  • optional, directive; arguments to define the response body:
    • true to randomize the response, random 10-character string 1.51.1b15
    • emptyObj to return the response value as empty object 1.54.1rc2
    • emptyArr to return the response value as empty array 1.54.1rc2
    • emptyStr to return the response value as empty string 1.54.1rc2
    • length:min[-max] to fulfill the response with randomized text with length specified, limited to 500000 characters 1.54.1b1
    • war:[name of resource] to fulfill the response with the content of a web_accessible_resources resource 1.51.1b16

When used without parameters, the parameters passed to no-xhr-if will be logged to the logger.

Examples:

example.com##+js(no-xhr-if, method:HEAD)
example.com##+js(no-xhr-if, adsbygoogle.js)
example.com##+js(no-xhr-if, adsbygoogle.js method:HEAD)
example.com##+js(no-xhr-if, /adsbygoogle.js$/ method:/HEAD|POST/)
example.com##+js(no-xhr-if, adsbygoogle.js, length:11000)
example.com##+js(no-xhr-if, doubleclick.net/instream/ad_status.js, war:doubleclick_instream_ad_status.js)

Also see:


trusted-prevent-xhr.js

Trusted scriptlet

New in 1.60.1b3

Essentially the same as no-xhr-if except that if the directive argument is not a known token, it will be used as is as the response text of the xhr request, whereas prevent-xhr returns an empty string when the directive is unknown.

Examples:

anitube.vip##+js(trusted-prevent-xhr, outbrain.com, outbrain)
koramaup.com##+js(trusted-prevent-xhr, googlesyndication, 'a.getAttribute("data-ad-client")||""')

set-attr.js

New in 1.50.1b16.

Sets the specified attribute on the specified elements. This scriptlet runs once when the page loads then afterward on DOM mutations.

Parameters:

  • required, CSS selector of DOM elements for which the attribute attr must be modified.
  • required, the name of the attribute to modify
  • required, the value to assign to the target attribute. Possible values:
    • '': empty string (default)
    • true
    • false
    • positive decimal integer: 0 <= value < 32768
    • [other]: copy the value from attribute other on the same element. This allows to copy the value of one attribute to another attribute on the same element.

Examples:

example.com##+js(set-attr, div.class > a.class, test-attribute, 0)
example.com##+js(set-attr, a > img, src, [data-src])

Solves uBlockOrigin/uBlock-issues#2347.

Also see:


trusted-set-attr.js

Trusted scriptlet

New in 1.60.1b17

Sets the specified attribute on the specified elements. This scriptlet runs once when the page loads then afterward on DOM mutations.

Parameters:

  • required, selector: A CSS selector for the elements to target.
  • required, attr: The name of the attribute to be added.
  • optional, value: The new value of the attribute. Since the scriptlet requires a trusted source, the value can be anything.

Examples:

  1. Adds a class attribute to the body element with the value some-class.

    example.com##+js(trusted-set-attr, body, class, some-class)
  2. Adds a test-attribute attribute to the body element with the value [true, true].

    example.com##+js(trusted-set-attr, body, test-attribute, '[true, true]')

Also see:


remove-attr.js

ra.js

Deprecated by :remove-attr()

Filter authors must use the new operator instead of the +js() counterpart.

Removes attribute(s) from DOM tree node(s). By default will run only once when the initial HTML document has been completely loaded and parsed but sub-resources such as scripts, images, stylesheets and frames are still loading.

Parameters:

  • required, attribute or list of attributes joined by |
  • optional, CSS selector, specifies nodes from which attributes will be removed
  • optional, new in 1.33, one or more space-separated tokens dictating the behavior of the scriptlet
    • asap: added in 1.36.1b2, execute as soon as possible, do not wait for DOM to become available.
    • stay: This tells the scriplet to stay active and act on document changes.
    • complete: This tells the scriplet to start acting only when the document is complete, i.e. once all secondary resources have been loaded.

Examples:

  • userscloud.com##+js(ra, onclick, .btn-icon-stacked)
  • magesy.*,majesy.*##+js(ra, oncontextmenu)
  • zerodot1.gitlab.io##+js(ra, oncontextmenu|onselectstart|ondragstart)
  • example.com##+js(remove-attr, class, .j-mini-player, stay)

Also see:


remove-class.js

rc.js

Deprecated by :remove-class()

Filter authors must use the new operator instead of the +js() counterpart.

New in 1.26.0.

Removes classes from DOM tree node(s). By default will run only once after page load. Syntax based on remove-attr.js

Parameters:

  • required, class name or list of class names joined by |
  • optional, CSS selector, specifies nodes from which classes should be removed
  • optional, new in 1.36, one or more space-separated tokens dictating the behavior of the scriptlet
    • stay: This tells the scriplet to stay and act on DOM changes, while the default behavior is to act only once when the document becomes interactive.
    • complete: This tells the scriplet to start acting only when the document is complete, i.e. once all secondary resources have been loaded, while the default is to start acting when the document is interactive - which is earlier than when the document is complete.

Examples:

Also see:


trusted-replace-node-text.js

trusted-rpnt.js /

replace-node-text.js /

rpnt.js

Trusted scriptlet

New in 1.49.3b16

Replace text instance(s) with another text instance inside specific DOM nodes.

By default, the scriptlet will bail out when the document itself has been fully loaded, i.e. when DOMContentLoaded event is fired.

The mutation observer of this scriptlet can be a significant overhead for pages with dynamically updated DOM, and in most cases the scriptlet is useful only for DOM changes occurring before the DOMContentLoaded event, so the default is to quit out when that event is received ("quit out" means discarding the mutation observer and having the scriptlet garbage-collected by the JS engine).

Parameters:

  • required, the name of the node for which the text content must be substituted. Valid node names can be found at: https://developer.mozilla.org/en-US/docs/Web/API/Node/nodeName
  • required, a string or regex to find in the text content of the node as the target of substitution
  • optional, the replacement text. Can be omitted if the goal is to delete the text which matches the pattern. Cannot be omitted if extra pairs of parameters have to be used (see below)

Tokens:

  • includes, pattern: A string or regex which must be found in the text content of the node in order for the substitution to occur
  • excludes, pattern: A string or regex which must not be found in the text content of the node in order for the substitution to occur
  • sedCount, n: This will cause the scriptlet to stop after n instances of substitution. Since a mutation oberver is used by the scriptlet, it's advised to stop it whenever it becomes pointless. Default to zero, which means the scriptlet never stops
  • stay, 1: Force the scriptlet to stay at work forever
  • quitAfter, ms: This tells the scriptlet to quit ms milliseconds after the page has been loaded, i.e. after the DOMContentLoaded event has been fired
  • log, 1: This will cause the scriptlet to output information at the console, useful as a debugging tool for filter authors
    (deprecated, read about the new method of logging scriptlets)

Examples:

  • example.com##+js(rpnt, #text, /^Advertisement$/)
  • example.com##+js(rpnt, #text, Example Domain, Changed, condition, Example, stay, 1)
  • example.com##+js(rpnt, script, /devtoolsDetector\.launch\(\)\;/, , sedCount, 1)

Related discussions:

Also see:


remove-node-text.js

rmnt.js

New in 1.49.3rc15

Remove the whole text of a DOM node.

By default, the scriptlet will bail out when the document itself has been fully loaded, i.e. when DOMContentLoaded event is fired.

The mutation observer of this scriptlet can be a significant overhead for pages with dynamically updated DOM, and in most cases the scriptlet is useful only for DOM changes occurring before the DOMContentLoaded event, so the default is to quit out when that event is received ("quit out" means discarding the mutation observer and having the scriptlet garbage-collected by the JS engine).

Parameters:

Optionally, extra pairs of parameters (tokens) can be used to modify the behavior of the scriptlet.

Tokens:

  • includes, pattern: A string or regex which must be found in the text content of the node in order for the removing to occur
  • excludes, pattern: A string or regex which must not be found in the text content of the node in order for the removing to occur
  • sedCount, n: This will cause the scriptlet to stop after n instances of removing. Since a mutation oberver is used by the scriptlet, it's advised to stop it whenever it becomes pointless. Default to zero, which means the scriptlet never stops
  • stay, 1: Force the scriptlet to stay at work forever
  • quitAfter, ms: This tells the scriptlet to quit ms milliseconds after the page has been loaded, i.e. after the DOMContentLoaded event has been fired
  • log, 1: This will cause the scriptlet to output information at the console, useful as a debugging tool for filter authors
    (deprecated, read about the new method of logging scriptlets)

Examples:

  • example.com##+js(rmnt, #text, Example)
  • example.com##+js(rmnt, #text, Example, condition, Exa)
  • example.com##+js(rmnt, script, timeLeft)

Also see:


trusted-replace-outbound-text.js

trusted-rpot.js

Trusted scriptlet

New in 1.57.1b1

(currently alias trusted-rpot is unsupported yet)

Replace the text in the outbound function call.

Parameters:

  • required, a name of method for which the text content must be substituted
  • required, a string or regex to match in the outbound text as the target of substitution,
    if not provided or empty, the scriptlet will only log the outbound text without modifying it.
  • optional, the replacement string for the matched part,
    can be omitted if the goal is to delete the text which matches the pattern.

Tokens:

  • condition, pattern: is a vararg which tells the scriptlet to act only if pattern is found in the outbound text.
  • encoding, base64: Decode and encode outbound base64-encoded text before and after replacement. 1.58.1b3

Examples:

  • www.reddit.com##+js(trusted-replace-outbound-text, JSON.stringify) (logging only)
  • www.reddit.com##+js(trusted-replace-outbound-text, JSON.stringify, '/"csrf_token":"[^"]+",/')
    matches and removes: "csrf_token":"ed5ce21c7d7c95c8662c7844c0f4a4dc", from the JSON payload
  • www.reddit.com##+js(trusted-replace-outbound-text, JSON.stringify, '/(?<="csrf_token":")[^"]+?(?=")/') or
    www.reddit.com##+js(trusted-replace-outbound-text, JSON.stringify, '/("csrf_token":")(?:[^"]+?)(")/', /$1$2/)
    matches ed5ce21c7d7c95c8662c7844c0f4a4dc or any similiar value in "csrf_token":"..." and removes it resulting in empty value: "csrf_token":""
  • www.reddit.com##+js(trusted-replace-outbound-text, JSON.stringify, '/(?<="adblock":{"enabled":)true/', false)
    matches true in "adblock":{"enabled":true and replaces it with false resulting in a new spoofed value: "adblock":{"enabled":false
  • example.com##+js(trusted-replace-outbound-text, eval, ads:true, ads:false, encoding, base64) For instance, eval('"YWRzOnRydWU="') which decoded value is 'ads:true', will return 'YWRzOmZhbHNl' which is 'ads:false' after decoding.

When the replacement starts with json:, it will be first decoded using JSON.parse() (since 1.59.1b8), example:

  • example.com##+js(trusted-replace-outbound-text, somefn, json:"ok")

The doublequotes are required since this is what JSON.parse() expects as a valid JSON string.


Solves related issues / discussions:

Also see:


href-sanitizer.js

Experimental

New in 1.47.5b4

Set the href attribute to a value found in the DOM at, or below the targeted a element, and optionally with transformation steps.

Parameters:

  • required, A plain CSS selector for elements which href property must be sanitized, if ALL the following conditions are met:
    • The element is a link (<a>) element
    • The link element has an existing href attribute
    • The text content of the element is a valid https-based URL
  • optional, one or more tokens to lookup the source of the href property, and optionally the transformation steps to perform, otherwise the text content of the element will be used.
    • [name]: Use the value of the attribute name as the URL
    • ?name: Use the value of the href query parameter name 1.49.3rc15. Supports unwrapping query parameters recursively 1.58.1rc11
    • Transformation steps: see urlskip documentation 1.61.3b10

Examples:

  • vk.com##+js(href-sanitizer, a[href^="/go?to="][title], [title])
  • vk.com##+js(href-sanitizer, a[href^="/away.php?to="][title], ?to)
  • <a href="https://app.adjust.com/2uo1qc?redirect=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dorg.mozilla.firefox&amp;campaign=www.mozilla.org&amp;adgroup=mobile-android-page">Text</a>: mozilla.org##+js(href-sanitizer, a[href^="https://app.adjust.com/"][href*="?redirect="], ?redirect)
  • example.com##+js(href-sanitizer, a.clickTracker, ?r?u
  • example.org##+js(href-sanitizer, a[href*="/redirect"], ?url ?url -base64)

Solves Anti-redirect scriptlet for vk.com (href-sanitizer).

Also see:


prevent-refresh.js

refresh-defuser.js

New in 1.38.7b3

Attempts to defuse reloading of a document through a meta "refresh" tag. Will stop navigation (call window.stop()) at specified delay.

Parameters:

  • optional, number (float), number of seconds until the page will be reloaded / when defuser should run. Will be derived from source tag when not specified.

Also see:


trusted-click-element.js

New in 1.53.5rc13

Trusted scriptlet

Clicks elements on webpages. Can target single or multiple elements in a sequence. The scriptlet will abort after 10s timeout or after all the elements have been clicked. Also hidden elements can be targeted.

Parameters:

  • required, a list of css selector(s). Multiple selectors must be quoted. Use >>> to select elements inside shadow root. (New in 1.54.1b3)
  • optional, Extramatch: conditions for the clicking to occur, cookies and localStorage are matched using the format name:key[=value] where the value is optional. Multiple conditions can be separated by comma. Prefix with ! to only click if the cookie/localStorage item does not exist. Supported names: 1.55.1b12
    • cookie: test string or regex against cookies
    • localStorage: test string or regex against localStorage
  • optional, delay in ms how long the scriptlet will postphone the execution

Tokens:

log, 1: This will cause the scriptlet to output information at the console, useful as a debugging tool for filter authors
(deprecated, read about the new method of logging scriptlets)

Examples:

  • example.com##+js(trusted-click-element, button.reject-all)
  • example.com##+js(trusted-click-element, '[for="CookiePurposes_1_"], [for="CookiePurposes_2_"], button.js-save')
  • example.com##+js(trusted-click-element, #cmpwrapper >>> .cmpboxbtnyes)
  • example.com##+js(trusted-click-element, #cmp-btn-accept, , 500)
  • example.com##+js(trusted-click-element, #cmp-btn-accept, !cookie:/^gpt_ppid[^=]+=/, 5000)
  • example.com##+js(trusted-click-element, button[name="agree"], 'cookie:cmpconsent, localStorage:promo=yes')

Also see:


set-constant.js

set.js

Creates property and initializes it with a value from a predefined set.

Scriptlet will succeed only when:

  • original property is undefined (scriptlet is called early enough) or null1.25.0 OR
  • new property written by set.js is undefined or null1.25.0 OR
  • type of original property is equal to type of new property

Value set by scriptlet can be overwritten by page script when:

  • current property was not set to undefined or null1.25.0 AND
  • new property is not undefined or null1.25.0 AND
  • type of original property is different than type of new property

Parameters:

  • required, property (chain of properties joined by .) attached to window object
  • required, possible values:
    • positive decimal integer, no sign, with maximum value of 0x7FFF (32767)
    • one value from set of predefined constants:
      • undefined
      • false
      • true
      • null2018-11-24
      • noopFunc - function with empty body
      • trueFunc - function returning true
      • falseFunc - function returning false
      • throwFunc - function throwing an error1.59.1rc5
      • '' - empty string2019-01-06
      • [] - empty array1.36
      • {} - empty object1.36
● optional (deprecated in favor of "runAt" token)

▬▬► SPOILER START ◄▬▬

  • optional, to defer execution of set-constant, possible values:
    • not present: execute immediately
    • 1: execute immediately
    • interactive, end, 2: set the constant when the event DOMContentInteractive is fired
    • complete, idle, 3: set the constant when the event load is fired

▬▬► SPOILER END ◄▬▬

Tokens:

  • "runAt": when this parameter is present, uBO will take it into account to possibly defer execution of the scriptlet
    new in 1.49.3b4, updated in 1.51.1rc0, solves uBlockOrigin/uAssets#7320:
    • "runAt" not present: execute immediately
    • loading or 1 : execute immediately
    • interactive or end or 2: set the constant when the event DOMContentLoaded is fired
    • complete or idle or 3: set the constant when the event load is fired
  • "as": when this parameter is present, uBO will take it into account how the values will be returned
    new in 1.49.3b13, updated in 1.51.1rc0, solves uBlockOrigin/uBlock-issues#2615:
    • function: the constant will be a function returning the specified value (asFunction is deprecated)
    • callback: the constant will be a function returning a function returning the specified value (asCallback is deprecated)
    • resolved: the constant will be a promise resolving to the specified value (asResolved is deprecated)
    • rejected: the constant will be a promise failing with the specified value (asRejected is deprecated)
  • "stack": considered to be implemented in the future, ideally, AdGuard would support its stack parameter as a vararg, to be discussed,
    issue to be solved: https://github.com/uBlockOrigin/uBlock-issues/issues/2783
    • string or regular expression that must match the current function call stack trace, defaults to matching every call; if regular expression is invalid, it will be skipped

Examples:

  • kompetent.de##+js(set, Object.keys, trueFunc)
  • t-online.de##+js(set, abp, false)
  • identi.li##+js(set, t_spoiler, 0)
  • joysound.com##+js(set, document.body.oncopy, null, 3) (deprecated)
  • joysound.com##+js(set, document.body.oncopy, null, runAt, 3)

Also see:


trusted-set-constant.js

trusted-set.js

Trusted scriptlet

Behaves exactly like set-constant, except that any arbitrary JSON-compatible value can be set.

By default the value is treated as a string, which can be anything.

If the value starts with { and ends with }, the value will be JSON-parsed, and the value property of the resulting object will be used. Since 1.59.1b9, { "value": ... } can be replaced with json:.

Solves: https://github.com/uBlockOrigin/uAssets/discussions/18185#discussioncomment-5977456

Examples:

  • example.com##+js(trusted-set, prop, { "value": 100000 })
  • example.com##+js(trusted-set, prop, '{ "value": [ "one", "two", 3 ]}')
  • example.com##+js(trusted-set, prop, { "value": { "url": "about:blank" }})

Also see:


trusted-suppress-native-method.js

Trusted scriptlet

New in 1.58.1rc0

This is a first draft version with current limitations:

  • Does not support matching arguments which are object or array

Syntax:

  • example.org##+js(trusted-suppress-native-method, methodPath, signatureStr[, how[, stack]])

Parameters:

  • methodPath – required, string path to a native method (joined with . if needed). The property must be attached to window.
  • signatureStr – required, string of |-separated argument matchers. Supported value types with corresponding matchers:
    • string – exact string, part of the string or regexp pattern. Empty string "" to match an empty string. Regexp patterns inside object matchers are not supported.
    • number, boolean, null, undefined – exact value,
    • object – partial of the object with the values as mentioned above, i.e by another object, that includes property names and values to be matched,
    • array – partial of the array with the values to be included in the incoming array, without considering the order of values.

To ignore specific argument, explicitly use whitespace as a matcher, e.g ' | |{"prop":"val"}' to skip matching first and second arguments.

If signatureStr parameter is not declared, the scriptlet will log all calls to methodPath along with the arguments passed and will not prevent the trapped method.

Tokens:

  • "how": optional, string, one of the following:
    • abort – default, aborts the call by throwing an error,
    • prevent – replaces the method call with the call of an empty function.
    • debug – triggers a debugger statement and the target method is not suppressed. Useful to find out how the method is being called by the page's code.
  • "stack": optional, string or regular expression that must match the current function call stack trace. Prepend pattern with ! to test for unmatched patterns in stack trace.

The scriptlet will log stack trace in uBO's logger when verbose mode is enabled.

Examples:

example.org##+js(trusted-suppress-native-method, localStorage.setItem, '/key/|"value"', prevent)
example.org##+js(trusted-suppress-native-method, Object.prototype.hasOwnProperty, '"test"')
example.org##+js(trusted-suppress-native-method, Node.prototype.appendChild, '{"id":"str"}', prevent)
example.org##+js(trusted-suppress-native-method, Document.prototype.querySelectorAll, '"div"')
example.org##+js(trusted-suppress-native-method, Array.prototype.concat, '[1, "str", true]')
example.org##+js(trusted-suppress-native-method, sessionStorage.setItem, ' |"item-value"', abort, someFuncName)
  1. Prevent localStorage.setItem('test-key', 'test-value') call matching first argument by regexp pattern and the second one by substring.
  2. Abort obj.hasOwnProperty('test') call matching the first argument.
  3. Prevent Node.prototype.appendChild call on element with the id test-id by object matcher.
  4. Abort all document.querySelectorAll calls with div as the first argument.
  5. Abort Array.prototype.concat([1, 'str', true, null]) calls by matching array argument contents.
  6. Use stack argument to match by the call, while also matching the second argument.

Also see:


trusted-override-element-method.js

Trusted scriptlet

New in 1.60.1b5

Override the behavior of a method on matching elements.

Parameters:

  • required, methodPath: The method which calls must be intercepted.
  • optional, selector: A CSS selector which the target element must match. If not specified, the override will occur for all elements.
  • optional, disposition: How the override should be handled. If not specified, the overridden call will be equivalent to an empty function.
    • throw: an exception will be thrown (throws ReferenceError).
    • debug: triggers a debugger statement if uBO's logger is opened. Useful for debugging purposes.
    • Any other value will be validated and returned as a supported safe constant.

Example:

streamsilk.com##+js(trusted-override-element-method, HTMLAnchorElement.prototype.click, a[target="_blank"][style])

trusted-prevent-dom-bypass.js

Trusted scriptlet

New in 1.60.1b4

Prevent the bypassing of uBO scriptlets through anonymous embedded context.

Ensure that a target method in the embedded context is using the corresponding parent context's method (which is assumed to be properly patched), or to replace the embedded context with that of the parent context.

Root issue: https://issues.chromium.org/issues/40202434

Parameters:

  • required, methodPath: The method which calls must be intercepted. The arguments of the intercepted calls are assumed to be HTMLElement, anything else will be ignored.
  • optional, targetProp: The method in the embedded context which should be delegated to the parent context. If no method is specified, the embedded context becomes the parent one, i.e. all properties of the embedded context will be that of the parent context.

Examples:

  • ##+js(trusted-prevent-dom-bypass, Element.prototype.append, open)
  • ##+js(trusted-prevent-dom-bypass, Element.prototype.appendChild, XMLHttpRequest)

set-cookie.js

New in 1.50.1b0.

Sets a cookie with the specified name, value, and path. Double quotes surrouding the cookie value are allowed.

Parameters:

  • required, cookie name to be set
  • required, cookie value; possible values:
    • decimal integer: >= -32767 && <= 32767 (<= 15 up to 1.56.1b18, >= 0 up to 1.61.1b0)
    • one of the predefined constants (in any case variation):
      • accept / reject,
      • accepted2 / rejected2 / notaccepted2,
      • allow / disallow2 / deny,
      • allowed2 / denied,
      • approved5 / disapproved5,
      • checked8 / unchecked8,
      • dismiss / dismissed,
      • enable2 / disable2,
      • enabled2 / disabled2,
      • essential7 / nonessential7,
      • forbidden9 / forever9,
      • hide6 / hidden6,
      • necessary4 / required4,
      • ok,
      • on1 / off1,
      • true / t3 / false / f3,
      • yes / y / no / n,
      • all10 / none10 / functional10
  • optional, cookie path, defaults to /; possible values:
    • /: root path
    • none: to set no path at all

1. 1.52.3b17
2. 1.52.3rc12
3. 1.53.1b8
4. 1.53.5rc5
5. 1.57.3rc1
6. 1.58.1b7
7. 1.58.1rc0
8. 1.59.1b5
9. 1.60.1b12 10. 1.61.3b10

The scriptlet encodes cookie names and values, e.g value "{ test: 'value'}" becomes %7B%20test%3A%20'value'%7D.

Tokens:

  • reload, 1: the scriplet will force a reload of the webpage if the cookie being set was not already set.
  • dontOverwrite, 1: the scriptlet will not modify the cookie if it already exists.

; Secure will be automatically used when cookie names starts with __Secure- or __Host- (since 1.58.1b8).

Examples:

  • example.com##+js(set-cookie, CookieConsent, 1)
  • example.com##+js(set-cookie, gdpr-settings-cookie, true)
  • example.com##+js(set-cookie, cookie_consent, ok, none)

Also see:


trusted-set-cookie.js

Trusted scriptlet

Sets a cookie with arbitrary name and value, and with optional ability to offset cookie attribute 'expires' and set path.

New in 1.50.1b1.

Parameters:

  • required, cookie name to be set
  • required, cookie value. Possible values:
    • arbitrary value
    • empty string for no value
    • $now$ keyword for setting current time in ms, e.g 1667915146503. Can be used inside a string since 1.58.1b0
    • $currentDate$ keyword for setting current time as string, e.g 'Tue Nov 08 2022 13:53:19 GMT+0300'
    • $currentISODate$ keyword for setting current time in ISO format as string, e.g '2024-07-07T12:10:00.641Z' (since 1.58.1rc0)
  • optional, offset from current time in seconds, after which cookie should expire; defaults to no offset. Possible values:
    • positive integer in seconds
    • 1year keyword for setting expiration date to one year
    • 1day keyword for setting expiration date to one day
  • optional, argument for setting cookie path, defaults to /; possible values:
    • /: root path
    • none: to set no path at all

Variadic parameters (must appears after required and optional parameters):

  • reload, 1: the scriplet will force a reload of the webpage if the cookie being set was not already set.
  • domain, [value]: the scriptlet will set the domain of the cookie to value.
  • dontOverwrite, 1: the scriptlet will not modify the cookie if it already exists.

; Secure will be automatically used when cookie names starts with __Secure- or __Host-.

Examples:

  • example.com##+js(trusted-set-cookie, cmpconsent, 1-accept_1)
  • example.com##+js(trusted-set-cookie, cmpconsent, $now$)
  • example.com##+js(trusted-set-cookie, cmpconsent, '{"accepted":true,"expire":$now$}')
  • example.com##+js(trusted-set-cookie, cmpconsent, accept, 259200)
  • example.com##+js(trusted-set-cookie, cmpconsent, accept, 1year)
  • example.com##+js(trusted-set-cookie, cmpconsent, decline, , none)

The second and third filters will set a cookie with new Date().getTime() value.

The forth and fifth filters will set a cookie which will expire in 3 days or 1 year.

The sixth filter sets a cookie with no path.

Also see:


set-local-storage-item.js

set-session-storage-item.js

New in 1.50.1b4 and 1.50.1b12.

Set a local/session storage entry to a specific, allowed value. Scriptlet won't set item if storage is full. Double quotes surrouding the key value are allowed.

  • required, key name to be set.
  • required, key value; possible values:
    • decimal integer >= -32767 && <= 32767 (only <= 32767 up to 1.61.1b1)
    • one of the predefined constants:
      • '': empty string
      • undefined, null
      • false, true
      • on, off
      • yes, no
      • accept, reject 1.57.3b9
      • accepted, rejected 1.57.3b9
      • allowed, denied 1.59.1b5
      • any from set-cookie 1.59.1b5
      • {}: empty object
      • []: empty array
      • ""
      • $remove$: remove specific item from localStorage

Examples:

  • example.com##+js(set-local-storage-item, player.live.current.mute, false)
  • example.com##+js(set-local-storage-item, exit-intent-marketing, 1)
  • example.com##+js(set-local-storage-item, foo, $remove$)
  • example.com##+js(set-session-storage-item, player.live.current.mute, false)
  • example.com##+js(set-session-storage-item, exit-intent-marketing, 1)
  • example.com##+js(set-session-storage-item, foo, $remove$)

Solves uBlockOrigin/uBlock-issues#2697.

Also see:


trusted-set-local-storage-item.js

trusted-set-session-storage-item.js

Trusted scriptlet

New in 1.50.1b4 and 1.53.5rc7.

Parameters:

  • required, key name to be set.
  • required, key value; possible values:
    • arbitrary value
    • $now$: keyword for setting current time in ms,
      corresponds to Date.now() and (new Date).getTime() calls, can be used inside a string since 1.57.3b8
    • $currentDate$: keyword for setting string representation of the current date and time,
      corresponds to Date() and (new Date).toString() calls, can be used inside a string since 1.57.3b8
    • $currentISODate$: keyword for setting string representation of the current date and time in ISO format,
      corresponds to Date() and (new Date).toISOString() calls, can be used inside a string since 1.57.3b8

Examples:

  • example.com##+js(trusted-set-local-storage-item, COOKIE_CONSENTS, {"preferences":3\,"flag":false})
  • example.com##+js(trusted-set-local-storage-item, providers, [16364\,88364])
  • example.com##+js(trusted-set-local-storage-item, player.live.current.play, $currentDate$)
  • example.com##+js(trusted-set-local-storage-item, ppu_main_none, '')
  • example.com##+js(trusted-set-session-storage-item, opd, 1.4)

Also see:


remove-cache-storage-item.js

New in 1.55.1b23

Removes cache storage item.

Syntax: ...##+js(remove-cache-storage-item, cacheNamePattern[, urlPattern])

Parameters:

  • required, cacheNamePattern: the name of the cache to target. Plain string or regex.
  • optional, urlPattern: the URL of the resource to remove. Plain string or regex.
    If no pattern is provided, the whole cache is removed.

Reference: https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage


adjust-setInterval.js

nano-setInterval-booster.js /

nano-sib.js

Adjusts interval for specified setInterval() callbacks.

Parameters:

  • optional, string/regular expression, matching in stringified callback function
  • optional - defaults to 1000, decimal integer, matching interval. New in 1.33.0: * will match any interval.
  • optional - default to 0.05 (20x faster), float, capped at 50 times for up and down, interval multiplier

Examples:

  • identi.li##+js(nano-sib, , ,0.02)
  • platinmods.*##+js(nano-sib)
  • 1ink.cc##+js(nano-sib, mSec, 1050)

Also see:


spoof-css.js

Spoof the CSS property value when getComputedStyle() or getBoundingClientRect() are used.

Parameters:

  • required, a valid CSS selector which matches the elements for which the spoofing must apply
  • required, a CSS property name (can be dashed- or camel-cased)
  • required, the value to return regardless of the currently computed value

Examples:

  • example.com##+js(spoof-css, .ad, clip-path, none)
    example.com##+js(spoof-css, .ad, _debug, 1)

There can be any number of selectors, grouped inside single quotes:

  • example.com##+js(spoof-css, 'a[href="x.com"], .ads, .bottom', clip-path, none)

There can be any number of property-name/property-value pairs, all separated by commas:

  • example.com##+js(spoof-css, .ad, clip-path, none, display, block)

Special properties: 1.61.1b4

If both _rectw and width are present in the list of properties to spoof, _rectw will have precedence over width in the spoofing of getBoundingClientRect() output. Same for _recth.

Solves uBlockOrigin/uBlock-issues#2618.

Also see:


prevent-canvas.js

New in 1.52.3b2

Prevent usage of specific or all (default) canvas APIs.

Syntax:

  • example.com##+js(prevent-canvas [, contextType])

Parameters:

  • optional, contextType: A specific type of canvas API to prevent (default to all APIs). Can be a string or regex which will be matched against the type used in getContext() call. Prepend with ! to test for no-match.

Examples:

  • example.com##+js(prevent-canvas) - prevents example.com from accessing all canvas APIs
  • *##+js(prevent-canvas, /webgl/) - prevents access to any flavor of WebGL API, everywhere
  • example.com##+js(prevent-canvas, !2d) - prevents example.com from accessing any flavor of canvas API except 2d

References: https://developer.mozilla.org/en-US/docs/Web/API/HTMLCanvasElement/getContext


adjust-setTimeout.js

nano-setTimeout-booster.js /

nano-stb.js

Adjusts delay for specified setTimeout() callbacks.

Parameters:

  • optional, string/regular expression, matching in stringified callback function
  • optional - defaults to 1000, decimal integer, matching delay. New in 1.33.0: * will match any delay.
  • optional - default to 0.05 (20x faster), float, capped at 50 times for up and down, delay multiplier

Examples:

  • bdupload.*##+js(nano-stb)
  • imgrock.*##+js(nano-stb, /.?/, 4000)

Also see:


sharedWorker-defuser.js

Removed. Deprecated by $csp filter option.
Defuses sharedWorker by passing empty worker file (Blob URL) for specified worker URLs

Parameters:

  • optional, string/regular expression, matching in worker URL

webrtc-if.js

Allows opening RTC connections to matching RTCIceServer only.

Parameters:

  • required, string/regular expression, matching in RTCIceServer urls, username or credential.

close-window.js

window-close-if.js

New in 1.39.3b10.

Closes fresh browser tabs of the specified page. Can also be used to close tabs which have been opened from other applications. Can be narrowed down to specific path by parameter. Whole browser window will be closed if it's the last/only tab (depends on browser configuration).

Improvements:

  • 1.44.3b11, If the argument to the window-close-if scriptlet is a regex, the match will be against the whole location URL, otherwise the match will be against the part+query part of the location URL.

Parameters:

  • optional, string, matching in the path and query part of the web page address or regular expression, matching in the whole location URL.

Examples:

  • acestream.com##+js(window-close-if, /plan/select?popup=noads)
  • example.com##+js(window-close-if, /^/) - will close all new tabs going to example.com on any site.
  • hostdl.com##+js(window-close-if, /^https?://(www\.)?hostdl\.com/) - will close all new tabs matching either only base domain or www one (i.e. not login.hostdl.com).

Also see:


prevent-window-open.js

nowoif.js /

no-window-open-if.js /

window.open-defuser.js

Prevent opening new windows by window.open() when URL positively or negatively matches to specific string.

Improvements:

  • 1.29.2, third parameter can now configure behavior of the scriptlet.
  • 1.27.0, nowoif.js alias is now available.
  • 1.26.0 (one, two),
    if second argument is present and a valid integer value, the defuser will return a valid window object even though no popup window is opened. The returned window object will cease to be valid after the specified number of seconds. If not present, no window will be opened and the scriptlet will return null.

If the first argument is set to the special value debug and the logger is opened, the scriptlet will trigger a debugger statement and the prevention will not occur.

When used without parameters, will log calls to window.open() to the logger.

Parameters:

  • optional, string/regular expression, prefixed by ! for negation, matching in all parameters passed to window.open() (all the arguments are joined as a single space-spearated string, and the result is used as the target for matching the pattern, new in 1.50.1b2), if not provided, all calls to window.open() are prevented.
  • optional, positive decimal integer, number of seconds after returned window object will be invalidated.
  • optional, possible values:
    • obj: Use an object element instead of iframe element (default) as a decoy to be used in place of a popup window, when the page requires a valid window instance to be returned.
    • blank: Replace the url parameter with about:blank. 1.59.1b9

Tokens:

  • log, 1: Cause the scriptlet to log information regarding how window.open() is used by the page on which the scriptlet is used.
    (deprecated, read about the new method of logging scriptlets)

Examples:

  • file-up.org##+js(nowoif)
  • vidstream.*##+js(nowoif, !api?call=, 10, obj)
  • example.com##+js(nowoif, download-link, , , log, 1)

Also see:


window.name-defuser

Clears window.name property which can be misused for tracking purposes.

Parameters:

  • none

overlay-buster.js

Experimental, gets rid of overlay dialogs, works for ~30s after page load. Preferred way to handle overlays is to use standard cosmetic filters and optionally style injection.


alert-buster.js

Disables alert() dialog boxes by redirecting messages to console.


Defuser scriptlets

ampproject_v0.js /

ampproject.org/v0.js

Removes animation (artificial 8s delay) added to desktop pages supporting AMP, when ampproject.org scripts are blocked.

fingerprint2.js

Fingerprintjs2 shim.

Also see: AdGuard fingerprintjs2

fingerprint3.js

FingerprintJS v3 shim.

Also see: AdGuard fingerprintjs3

nobab.js /

bab-defuser.js

Defuses BlockAdblock. Prevents executing of eval() on sets of predefined payloads.

Also see: AdGuard prevent-bab

nobab2.js

Redirect resource. Defuses BAB 4.2b.

Also see: AdGuard prevent-bab2

nofab.js /

fuckadblock.js-3.2.0

Convenience, Sanitize FuckAdBlock, BlockAdBlock, SniffAdBlock, fuckAdBlock, blockAdBlock, sniffAdBlock properties. Often used as redirect in network filters. TODO: copy to redirect?

Also see: AdGuard prevent-fab-3.2.0

popads-dummy.js

Convenience, sets static properties (PopAds, popns)

Also see: AdGuard set-popads-dummy

popads.js /

popads.net.js

Convenience, abort-on-property-write.js (PopAds, popns), throws "magic"

Also see: AdGuard prevent-popads-net

prebid-ads.js

New in 1.41.0

Prebid-ads shim. canRunAds/isAdBlockActive?

Also see: AdGuard prebid-ads

Empty redirect resources

These are smallest/shortest/fastest to execute files. Should be used in network filters as a parameter to $redirect option. They purpose is to mislead page to think that real files have been served.

Available resources

  • Images
  • Source code
    • noop.css
    • noop.html
    • noop.js
    • noop.json
    • noop.txt
    • noop-vast2.xml
    • noop-vast3.xml
    • noop-vast4.xml
    • noop-vmap1.xml
  • Media files
    • noop-0.1s.mp3
    • noop-0.5s.mp3
    • noop-1s.mp4
  • Special purpose
    • none

      reserved token, can be used to disable specific redirect filters. Starting with 1.31.0, classic exception filters and badfilter option can be used.

    • click2load.html

      for embedded <iframe> elements. New in 1.31.0 (also 2e5d32e9, 46d7f8a7). Frames redirected to this resource will not be collapsed, instead, widget with clickable and selectable frame source link will be displayed. Clicking the icon next to source link will open frame content in new tab. Clicking the widget content will unblock and load original frame content.

Example rules:

  • ||ad.server.com/$script,redirect=noop.js,domain=www.google.com
  • ||dailymotion.com$3p,frame,redirect=click2load.html,domain=lemonde.fr for example video link:
    https://www.lemonde.fr/international/video/2024/08/23/en-images-le-discours-de-kamala-harris-pour-clore-la-convention-democrate_6291494_3210.html
  • ||vimeo.com$3p,frame,redirect=click2load.html,domain=theregister.com for example video link:
    https://www.theregister.com/2024/08/01/a_fresh_approach_for_container/

URL-specific sanitized redirect resources (surrogates)

amazon_ads.js /

amazon-adsystem.com/aax2/amzn_ads.js

amazon_apstag.js

New in 1.27.0.

doubleclick_instream_ad_status.js /

doubleclick.net/instream/ad_status.js

google-analytics_ga.js /

google-analytics.com/ga.js

google-analytics_analytics.js /

google-analytics.com/analytics.js

google-analytics_inpage_linkid.js /

google-analytics.com/inpage_linkid.js

google-analytics_cx_api.js /

google-analytics.com/cx/api.js

google-ima.js

googletagservices_gpt.js /

googletagservices.com/gpt.js

googletagmanager_gtm.js /

googletagmanager.com/gtm.js

googlesyndication_adsbygoogle.js /

googlesyndication.com/adsbygoogle.js

scorecardresearch_beacon.js /

scorecardresearch.com/beacon.js

outbrain-widget.js /

widgets.outbrain.com/outbrain.js

hd-main.js

disqus_forums_embed.js AND disqus_embed.js /

disqus.com/forums/*/embed.js AND disqus.com/embed.js

Removed in 1.29.0.


Other

Deprecated by general purpose scriptlets / outdated (please move to proper section if still used).


golem.de.js

Deprecated, addEventListener-defuser


chartbeat.js /

static.chartbeat.com/chartbeat.js

Deprecated, sets static properties (pSUPERFLY.activity, pSUPERFLY.virtualPage)

ligatus_angular-tag.js /

ligatus.com/*/angular-tag.js

Deprecated, sets static properties (adProtect, uabpdl, uabDetect)

addthis_widget.js /

addthis.com/addthis_widget.js

monkeybroker.js /

d3pkae9owd2lcf.cloudfront.net/mb105.js


Glossary

Clone this wiki locally