-
Notifications
You must be signed in to change notification settings - Fork 3.2k
Resources Library
- Current RAW version of Resources can be found in files inside src/js/resources/ directory ↪ and src/web_accessible_resources directory ↪
- General purpose scriptlets
- Defuser scriptlets
- Empty redirect resources
- URL-specific sanitized redirect resources
- Other (deprecated/outdated)
- Scriptlets and Redirects compatibility tables between uBlock Origin / AdGuard / Adblock Plus
- Glossary
- abort-current-script (acs / abort-current-inline-script / acis)
- abort-on-property-read (aopr)
- abort-on-property-write (aopw)
- abort-on-stack-trace (aost)
- addEventListener-defuser (aeld / prevent-addEventListener)
-
addEventListener-logger(aell) - trusted-click-element [Trusted]
- set-constant (set)
- trusted-set-constant (trusted-set) [Trusted]
- trusted-suppress-native-method [Trusted]
- trusted-override-element-method [Trusted]
- trusted-prevent-dom-bypass [Trusted]
- set-cookie
- trusted-set-cookie [Trusted]
- remove-cookie (cookie-remover)
- set-local-storage-item / set-session-storage-item
- trusted-set-local-storage-item / trusted-set-session-storage-item [Trusted]
- remove-cache-storage-item
- call-nothrow
- prevent-setInterval (no-setInterval-if / nosiif / setInterval-defuser)
- prevent-setTimeout (no-setTimeout-if / nostif / setTimeout-defuser)
- adjust-setInterval (nano-setInterval-booster / nano-sib)
- adjust-setTimeout (nano-setTimeout-booster / nano-stb)
- prevent-xhr (no-xhr-if)
- trusted-prevent-xhr [Trusted]
- prevent-fetch (no-fetch-if)
- trusted-replace-xhr-response [Trusted]
- trusted-replace-fetch-response (trusted-rpfr) [Trusted]
- trusted-replace-argument [Trusted]
- set-attr
- trusted-set-attr [Trusted]
- remove-attr (ra)
- remove-class (rc)
- remove-node-text (rmnt)
- trusted-replace-node-text (trusted-rpnt / replace-node-text / rpnt) [Trusted]
- trusted-replace-outbound-text (trusted-rpot) [Trusted]
- spoof-css
- prevent-canvas
- href-sanitizer
- disable-newtab-links
- close-window (window-close-if)
- prevent-window-open (nowoif / no-window-open-if / window.open-defuser)
- object-prune
- trusted-prune-inbound-object [Trusted]
- trusted-prune-outbound-object [Trusted]
- json-prune
- json-prune-fetch-response
- json-prune-xhr-response
- evaldata-prune
- xml-prune
- m3u-prune
- noeval
- noeval-silent
- noeval-if (prevent-eval-if)
no-floc- prevent-requestAnimationFrame (no-requestAnimationFrame-if / norafif)
- nowebrtc
- webrtc-if
- window.name-defuser
- prevent-refresh (refresh-defuser)
- overlay-buster
- alert-buster
- ampproject_v0
- fingerprint2
- fingerprint3
- nobab (BlockAdblock)
- nobab2 (BlockAdblock 4.2b)
- nofab (FuckAdblock)
- popads-dummy
- popads
- prebid-ads
1x1.gif
2x2.png
3x2.png
32x32.png
noop.css
-
noop.html
(noopframe
) noop.js
-
noop.json
1.53.5rc11 noop.txt
noop-0.1s.mp3
noop-0.5s.mp3
noop-1s.mp4
-
noop-vast2.xml
1.59.1b6 -
noop-vast3.xml
1.59.1b6 -
noop-vast4.xml
1.59.1b6 -
noop-vmap1.xml
1.33 none
click2load.html
- amazon_ads.js
- amazon_apstag.js
- doubleclick_instream_ad_status
- google-analytics_ga.js
- google-analytics_analytics.js
- google-analytics_inpage_linkid.js
- google-analytics_cx_api.js
- google-ima.js
- googletagservices_gpt.js
- googletagmanager_gtm.js
- googlesyndication_adsbygoogle.js
- scorecardresearch_beacon.js
- outbrain-widget.js
- hd-main.js
- Most scriptlet relies on
Object
properties (methods), altering them may not be the best idea (you should know what you are doing). - Some properties related more to browser APIs rather than JS language built-ins can behave in unexpected way. For example browser can override them without scriptlet noticing this. Keep this in mind when using them in scriptlet injection filers.
- "Optional" for "string/regular expression" parameter defaults to "catch all" (
/.?/
) if not specified. - "String" parameter means plain character(s)/word(s), quotes will be taken literally, commas must be escaped in regex literals:
/foo\x2cbar\u002cbaz/
, after 1.22.0 commas can be escaped by backslash character (foo\,bar
). - "Regular expression" parameter means JavaScript regular expression literal.
- Mime type is
application/javascript
if not present. - You can use the short alias form when available for scriptlet name.
- You should omit the
.js
from the scriptlet name in scriptlet injection filters (eventually in some future this will be the official way to do this).- Do not skip
.js
when the scriptlet is used withredirect=
, only when used in+js(...)
.
- Do not skip
- Crossed out resources are deprecated/removed.
- Starting with 1.46.1b17 support for regex-based values as target domain has been added. Use sparingly, when no other solution is practical from a maintenance point of view -- keeping in mind that uBO has to iterate through all the regex-based values, unlike plain hostname or entity-based values which are mere lookups. Related discussion: uBlockOrigin/uBlock-issues#2234. Example:
/img[a-z]{3,5}\.buzz/##+js(nowoif)
. - The usage of named arguments is optional, positional arguments are still supported as documented. Named arguments is required to use "log" and/or "debug" arguments.
- The logging/debugging capabilities work only in the dev build of uBO or if the advanced setting
filterAuthorMode
is set totrue
. - Starting with 1.57.3b1, the old method of displaying scriptlets's logs in browser's dev console and via
(log, 1)
tokens is deprecated:- now all scriptlets's logging output is automatically displayed in the logger & the logger's console pane.
- in the logger, toggling labels
info
anderror
in filter input field can be used to reduce information displayed in the logger to informations and errors, including scriptlets, and with additionalnot
operator selected, the opposite effect can be achieved. - in the logger's console pane, toggling additionally verbose mode button, will cause console pane to print more logs from scriptlets.
- by default, scriptlets will print out only calls and informations related to their orders and targets,
to log all calls without defusing any of them, a scriptlet without parameters can be used, example:wikipedia.org##+js(aeld)
- related discussions: uBlockOrigin/uAssets/discussions/17907 and uBlockOrigin/uBlock-issues/discussions/3096
- The only filter lists deemed from a "trusted source" are uBO-specific filter lists (i.e. "uBlock filters -- ..."). The user's own filters from "My filters" are trusted only in the dev build of uBO. This behaviour can be overridden with the advanced setting
trustedListPrefixes
. - Tokens are parameters which modify the behavior of a scriptlet, they must be used after the required and optional parameters.
abort-current-script.js ↪
Aborts execution of inline script (throws ReferenceError
) when attempts to access specified property when text content or src
attribute value (new in 1.37.0) of <script>
element matches specified text or regular expression.
Note that acis.js
and abort-current-inline-script.js
aliases are deprecated and can be removed in the future.
Parameters:
- required, property (chain of properties joined by
.
) attached to window object accessed inside<script>
tag we want to break - optional, string/regular expression matching in
<script>
element content - optional, new in 1.37.0, string/regular expression matching in the decoded value of the
src
attribute of the<script>
tag, when the attribute content is not a remote network address, but the actual inline script URL-encoded or base64-endcoded as adata:
URI
Examples:
weristdeinfreund.de##+js(acis, Number.isNaN)
tichyseinblick.de##+js(acis, Math, /\}\s*\(.*?\b(self|this|window)\b.*?\)/)
Starting with 1.48.5b4, you can use the logging abilites. (deprecated)
(read about the new method of logging scriptlets)
Tokens:
-
: output useful information at the dev console. (deprecated)log, 1
-
debug, 1
: break at key locations in the scriptlet.
Also see:
abort-on-property-read.js ↪
Aborts execution of script (throws ReferenceError
) when attempts to read specified property. Writes are ignored.
Parameters:
- required, property (chain of properties joined by
.
) attached to window object
Examples:
tagesspiegel.de##+js(aopr, Notification)
Also see:
abort-on-property-write.js ↪
Aborts execution of script (throws ReferenceError
) when attempts to write specified property.
Parameters:
- required, property (chain of properties joined by
.
) attached to window object that will be overwritten
Examples:
yggtorrent.*##+js(aopw, Fingerprint2)
Also see:
abort-on-stack-trace.js ↪
New in 1.29.3rc9
Aborts execution of script (throws ReferenceError
) when attempts to access specified property when stack trace matches specified text or regular expression. Internal discussion
Parameters:
- required, property (chain of properties joined by
.
) to trap in order to launch the stack trace matching code, ex.Math.random
- optional, string/regular expression, the needle to match against the stack trace. If the empty string, only log. Prepend pattern with
!
to test for unmatched patterns in stack trace (New in 1.51.1b6)
Tokens:
- "log":
-
all
: log stack trace for all access to trapped property -
match
: log stack trace for defused access to trapped property -
nomatch
: log stack trace for non-defused access to trapped property
-
Stack trace is normalized, but there still can be differences (Chromium vs Firefox) because of different format of stack trace.
There is a special string which can be used to match inline script context - inlineScript
.
Though the stack trace is rendered in the console using new line to separate the stack trace lines, internally \t
is used. The reason is to be more easily be able to create regex-based needle when using regex .
character class.
The stack trace is prepended with stackDepth:...
in order to allow to filter on stack depth, however higher depth values can likely differ between Chromium and Firefox.
Firefox often reports injectedScript
, attempt has been made to convert entries in Chromium which seems to correspond to this, so that both browser families will report injectedScript
.
The column value is normalized to 1, however there is too much discrepancy between browser families for that value to be of any use.
Filtering according to reported line numbers (...:1234:1
), will not be reliable for inline scripts, since the line at which those inline scripts are located will vary from one page to another. It should be reliable for when the stack trace entry is for code in a JS file.
Also see:
addEventListener-defuser.js ↪
Prevents attaching event listeners.
Parameters (when using positional arguments):
- optional, string/regular expression, name of the event listener to defuse
- optional, string/regular expression matching in stringified handler function, narrows down defusing to specific handler
Examples:
vev.io##+js(aeld, adb.updated)
newser.com##+js(aeld, load, Object)
vivo.sx##+js(aeld, , preventDefault)
vidto.me##+js(aeld, /^(?:click|mousedown|mousemove|touchstart|touchend|touchmove)$/, system.popunder)
Tokens:
- "runAt": when this parameter is present, uBO will take it into account to possibly defer defusing the event listener (New in 1.49.3b4):
- end: execute scriptlet at
DOMContentLoaded
event ("interactive") - idle: execute scriptlet at
load
event ("complete")
- end: execute scriptlet at
- "elements": if present, will be used to apply the scriptlet to only elements matching the selector (New in 1.55.1b1)
- must be a valid CSS selector (also
window
anddocument
elements can be used as a selector (New in 1.58.1b5))
- must be a valid CSS selector (also
- "debug": an integer value telling when to break into the debugger, useful to inspect the debugger's call stack.
- 1: break into the debugger when both type and pattern match, so effectively when defusing is taking place.
- 2: break into the debugger when either type or pattern matches.
● "log": (deprecated)
▬▬► SPOILER START ◄▬▬
- "log": an integer value telling when to log (see uBlockOrigin/uAssets#17907):
- 1: log only when both type and pattern matches, i.e. when a call to
addEventListener()
is defused - 2: log when either the type or pattern matches
- 3: log all calls to
addEventListener()
- 1: log only when both type and pattern matches, i.e. when a call to
Examples:
wikipedia.org##+js(aeld, /mouse/, /.^/, log, 2)
wikipedia.org##+js(aeld, , /.^/, log, 2)
wikipedia.org##+js(aeld, , , log, 1)
wikipedia.org##+js(aeld, _, , log, 3)
The first filter will log calls to addEventListener()
which have the pattern "mouse" in the event type (so "mouseover", "mouseout", etc.) without defusing any of them (because pattern can't match anything).
The second filter will log all calls without defusing any of them (because type can't match anything).
The third filter will log and defuse all calls to addEventListener()
The fourth filter will log all calls to addEventListener()
without defusing any of them
▬▬► SPOILER END ◄▬▬
(read about the new method of logging scriptlets)
Examples:
jpvhub.com##+js(aeld, click, popMagic, runAt, idle)
subkade.ir##+js(aeld, click, return"undefined", elements, a.indirect)
wikipedia.org##+js(aeld)
The third filter will log all calls to addEventListener()
without defusing any of them
Also see:
addEventListener-logger.js ↪
Removed in 1.48.1b3.
Logs to the console event listeners created on page.
The logging or debugging of addEventListener()
calls can now be done with the addEventListenerDefuser
scriptlet, which now supports named arguments.
Also see:
remove-cookie.js ↪
Removes current page cookies specified by name. For current domain, wildcard (dot) subdomain(s), after 1.28.0 also for domain one level above www
, current and /
path, script accessible (HttpOnly=false), on load and before unload.
Caveats: cookies set for higher level domain will not be removed. For example, if current page domain is page.example.com
, cookies set for example.com
will not be removed. One exception is www
subdomain, which will work after 1.28.0.
Parameters:
- optional, string/regular expression, matching in the name of the cookie
Tokens:
- "when": when this parameter is present, it adds ability to trigger cookie removal on specific events (with delay 500ms):
Examples:
subdivx.com##+js(cookie-remover, ref_cookie)
-
discovermagazine.com##+js(remove-cookie, AWSALBTG, when, scroll)
(solves: 'remove-cookie' scriptlet sometimes does not work)
Also see:
csp.js ↪
Removed. Deprecated by $csp
network filter option.
Applies content security policy by inserting <meta http-equiv=Content-Security-Policy content="*directive*">
tag to html <head>
element.
Read more at https://www.w3.org/TR/CSP2/#delivery-html-meta-element
Content Security Policy Quick Reference Guide
Parameters:
- required, valid Content Security Policy directive
call-nothrow.js ↪
New in 1.48.1b0.
Prevents a call to an existing function from throwing an exception. It encloses existing functions in this block and ignores the exception:
try {
[existing function]
}
catch() {
[ignore when throws]
}
It will return undefined
because returning variable is never set.
The exception will be caught by the scriptlet and neutralized. The first argument must be a reference to a function call. At the moment, the function call must exist at the time the scriptlet is called.
Parameters:
- required, a reference to a function call
Examples:
example.com##+js(call-nothrow, Object.defineProperty)
Also see:
disable-newtab-links.js ↪
Prevents creating new tabs/windows by deactivating links with target
attribute.
Parameters:
- none
Examples:
there.to##+js(disable-newtab-links)
To prevent new tabs/windows by specifying the location URL, see: window-close-if.js
Also see:
evaldata-prune.js ↪
New in 1.49.3rc15
Intercepts calls to eval()
and will work only if what is passed to eval
can be parsed as JSON.
For parameters, see: json-prune
When no "prune paths" argument (first parameter) is provided, the scriptlet is used for logging purpose and the "needle paths" argument (second parameter) is used to filter logging output.
Examples:
m.nivod4.tv##+js(evaldata-prune, entity.commercial)
Also see:
object-prune.js ↪ * (fn)
New in 1.51.1b14 * (fn)
[Documentation to be completed]
trusted-prune-inbound-object.js ↪
New in 1.52.3rc0
To perform object pruning for any given call which has an object as argument (hence "inbound").
Parameters:
- required, the name of the property to trap. Must be a function, and must exist when the scriptlet tries to install the trap.
- required, the position of the object to prune in the argument list when the trapped function is called. The position is 1-based and must be an integer greater than 0.
- required, the properties to prune (as with
json-prune
) - optional, the properties which must all be present for pruning to occur
(as with
json-prune
)
Varargs:
-
stackToMatch
: string or regular expression that must match the current function call stack trace. Prepend pattern with!
to test for unmatched patterns in stack trace. -
, dontOverwrite, 1
: do not modify the target inbound object
Examples:
-
Remove
title
andname
properties before passing the object toJSON.stringify
call:example.org##+js(trusted-prune-inbound-object, JSON.stringify, 1, title name)
-
Remove
status
property before passing the object toObject.keys
call but do not modify caller's instance of the object:example.org##+js(trusted-prune-inbound-object, Object.keys, 1, status, , dontOverwrite, 1)
Also see:
trusted-prune-outbound-object.js ↪
New in 1.52.3rc3
Essentially a complement of trusted-prune-inbound-object
added in 1.52.3rc0
To perform object pruning on any object returned synchronously by any given call.
Parameters:
- required, the name of the property to trap. Must be a function, and must exist when the scriptlet tries to install the trap.
- required, the properties to prune (as with
json-prune
) - optional, the properties which must all be present for pruning to occur
(as with
json-prune
)
The scriptlets json-prune
and evaldata-prune
essentially
perform the same function, and will eventually be rewritten to
internally delegate to generic trusted-prune-outbound-object
.
json-prune.js ↪
New in 1.23.0
Intercepts calls to JSON.parse()
and Response.json()
New in 1.31.0. If the result of the parsing is an Object, remove specified properties from the result before returning to the caller.
Parameters:
- optional, string, a list of space-separated properties to remove
- optional,
- string, a list of space-separated properties which must be all present for the pruning to occur; OR
- string/regular expression, for logging purposes, matching in stringified JSON payloads (New in 1.27.0)
- optional, string or regular expression that must match the current function call stack trace (New in 1.51.1b5). Prepend pattern with
!
to test for unmatched patterns in stack trace (New in 1.51.1b6)
A property in a list of properties can be a chain of properties, example: adpath.url.first
.
After 1.28.0, two special "wildcard tokens" have been added:
-
[]
: iterate in all elements in an array. To deal with cases where the property to remove is an element in an array. To removeadserver
object properties from array in following JSON payload:{"playlist": [{"adserver": "first"},{"adserver": "second"}]}
Use:
+js(json-prune, playlist.[].adserver)
-
*
: iterate through all own properties of an object. For example, to deal with hard to predict random-named properties. To removeadserver
object properties from inside randomly named objects in following JSON payload:{"playlist": {"random1": {"adserver": "first"}, "randomB": {"adserver": "second"}}}
Use:
+js(json-prune, playlist.*.adserver)
Version 1.57.0 extend syntax with two special token properties:
-
[-]
: remove an array entry if part right of[-]
matches the inspected item. -
{-}
: remove a property if part right of{-}
matches the inspected item.
When used without parameters, will log current hostname + json payload to the logger.
New in 1.27.0 - second parameter can be used to limit logging to JSON payloads which stringified content match specified string or regular expression.
Tokens:
-
log, ...
: This extends logging capabilities ofjson-prune
scriptlet as follows:...##+js(json-prune, a, b, stackNeedle, log, [logneedle], logstack, 1)
. Whereas before, the only way to logjson-prune
usage was to skip providing the property chain:...##+js(json-prune, , b)
Whereb
was the expression to filter out logging output. With the extended logging capabilities, the logging output can be filtered out withlogneedle
, which can be a regex literal. Additionally, to log the stack trace thestackNeedle
argument must be set to non-empty string. You can use/.^/
to log the stack trace without matching it (New in 1.51.1b5).
Examples:
youthhealthmag.com##+js(json-prune, unit_list)
winfuture.de##+js(json-prune, adtagparameter, enabled)
-
imgsen.com##+js(json-prune, *, showTrkURL)
- will remove everything when needle matches, new in 1.35
If the site uses eval
in lieu of JSON.parse
, see: evaldata-prune
Also see:
json-prune-fetch-response.js ↪
New in 1.51.1rc1
Removes specified properties from the JSON response of a fetch call.
Syntax:
...##+js(json-prune-fetch-response, prune paths [, needle paths [, ...varargs ]])
For parameters, see: json-prune
Except that the stack
parameter is treated as a vararg.
Tokens:
- "propsToMatch": string of space-separated properties to match; possible props:
- string or regular expression for matching the URL passed to fetch call;
- colon-separated pairs
name:value
where-
name
isinit
option name -
value
is string or regular expression for matching the value of the option passed to fetch call.
-
- "stackToMatch": string or regular expression that must match the current function call stack trace. Prepend pattern with
!
to test for unmatched patterns in stack trace.
Examples:
tumblr.com##+js(json-prune-fetch-response, response.timeline.elements.[-].advertiserId, , propsToMatch, url:/api/v2/tabs/for_you)
nbc.com##+js(json-prune-fetch-response, avails, , propsToMatch, amazonaws.com)
Also see:
json-prune-xhr-response.js ↪
New in 1.51.1rc3
Removes specified properties from the JSON response of a XMLHttpRequest
call.
For usage, see: json-prune-fetch-response
Example:
www.facebook.com##+js(json-prune-xhr-response, data.viewer.instream_video_ads data.scrubber, , propsToMatch, /api/graphql)
Also see:
xml-prune.js ↪
Removes an element from the specified XML retrieved using fetch, xhr support was added in 1.49.3rc6.
New in 1.44.5b3
After 1.49.3rc16, it can also remove attributes.
Parameters:
- required, a selector of elements or xpath of elements/attributes (New in 1.49.3rc16) which are to be removed.
- optional, a selector or xpath (New in 1.49.3rc15 that must have a match in the document for the pruning to occur. No selector means the pruning can be performed regardless.
- optional, a URL which must be a match for the pruning to occur. If left blank, the pruning can be performed regardless.
Tokens:
-
(deprecated, read about the new method of logging scriptlets)log, 1
-
logdoc, 1
: Dumps the whole document being worked on to the logger
Examples:
cbs.com##+js(xml-prune, Period[id*="-roll-"][id*="-ad-"], , pubads.g.doubleclick.net/ondemand)
play.max.com##+js(xml-prune, xpath(//*[name()="Period"][not(.//*[name()="SegmentTimeline"])]), , .mpd)
example.com##+js(xml-prune, xpath(//*[name()="MPD"]/@mediaPresentationDuration), , .mpd, log, 1)
Also see:
m3u-prune.js ↪
New in 1.44.5b6
Sometimes sites serve real video content and video ads all in one place inside .m3u8
files.
You can use m3u-prune
to remove those ad segments.
Examples:
player.theplatform.com##+js(m3u-prune, tvessaiprod.nbcuni.com, /theplatform\.com\/.*?\.m3u8/)
mephimtv.cc##+js(m3u-prune, /#EXT-X-DISCONTINUITY(.|\n){1\,100}#EXT-X-DISCONTINUITY/gm, mixed.m3u8)
If the first argument is a regex with multine flag set, the scriptlet will execute the regex against the whole text, and remove matching text from the whole text (New in 1.47.5b10).
If the matching text does not contain whole lines, the text won't be removed, i.e. it is not allowed to remove only part of a line.
Also see:
noeval.js ↪
Prevent web pages from using eval()
, and report attempts to the logger. This should not be used as a generic filter due to the fact that it breaks many websites, including those using Cloudflare's DDoS protection.
Examples:
solowarez.org##+js(noeval)
Also see:
silent-noeval.js ↪
Prevent web pages from using eval()
.
noeval-if.js ↪
Prevent web pages from using eval()
on specific matching payloads.
Parameters:
- optional, string/regular expression, matching in payload string.
Examples:
orgyxxxhub.com##+js(noeval-if, replace)
no-floc.js ↪
Obsolete: FLoC ended its experiment in July of 2021.
New in 1.35.0.
Defuses Google FLoC ("Federated Learning of Cohorts") tracking. Read more on https://amifloced.org/
uBlock Origin (uBO) ensures FLoC is opt-in. The generic filter *##+js(no-floc)
in "uBlock filters -- Privacy" ensures the feature is disabled when using default settings/lists.
Users can opt-in to FLoC by adding a generic exception filter to their custom filters, #@#+js(no-floc)
; or they can opt-in only for a specific set of websites through a more specific exception filter:
example.com,shopping.example#@#+js(no-floc)
Solves uBlockOrigin/uBlock-issues#1553.
prevent-fetch.js ↪
New in 1.31.3b9.
Defuses calls to fetch()
by returning a promise which always resolve to an empty response.
Parameters:
- optional, space-separated list of conditions which must be ALL fulfilled in order for the defusing to take place:
- string/regular expression, prefixed by
!
for negation (new in 1.59.1b13), matching in URL passed tofetch()
call - colon-separated
name:value
pairs ofinit
option name and string/regular expression matching in value of that option passed tofetch()
call.
- string/regular expression, prefixed by
- optional, directive; arguments to define the response body:
-
true
to randomize the response, random 10-character string 1.51.1b15 -
emptyObj
to return the response value as empty object 1.54.1rc2 -
emptyArr
to return the response value as empty array 1.54.1rc2 -
emptyStr
to return the response value as empty string 1.54.1rc2 -
length:min[-max]
to fulfill the response with randomized text with length specified, limited to 500000 characters 1.54.1b1 -
war:[name of resource]
to fulfill the response with the content of a web_accessible_resources resource 1.54.1b1
-
- optional, (new in 1.58.1rc4), string for defining response type / JSON string with
properties to set on the returned response instance, original response type is used if not specified:
-
ok
, supported values:false
,true
-
type
, supported values:"basic"
,"cors"
,"default"
,"error"
,"opaque"
-
statusText
, supported values:""
,"Not Found"
. defaults to"OK"
when not overridden. 1.58.1rc5
-
When used without parameters, the parameters passed to no-fetch-if
will be logged to the logger.
Examples:
example.com##+js(no-fetch-if, method:HEAD)
example.com##+js(no-fetch-if, adsbygoogle.js)
example.com##+js(no-fetch-if, !negatedValue)
example.com##+js(no-fetch-if, adsbygoogle.js method:HEAD)
example.com##+js(no-fetch-if, /adsbygoogle.js$/ method:/HEAD|POST/)
example.com##+js(no-fetch-if, adsbygoogle.js, length:11000)
example.com##+js(no-fetch-if, adsbygoogle.js, war:googlesyndication_adsbygoogle.js)
example.com##+js(no-fetch-if, doubleclick, , '{"type": "opaque"}')
See also:
trusted-replace-xhr-response.js ↪
New in 1.51.1rc3
Replaces response text content of xhr
requests if all given parameters match.
For usage, see: trusted-replace-fetch-response
Example:
in-jpn.com##+js(trusted-replace-xhr-response, /.*/, , pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?)
Also see:
trusted-replace-fetch-response.js ↪
New in 1.51.1b8.
Replaces response text content of fetch
requests if all given parameters match.
Parameters:
- required, argument for matching contents of
responseText
that should be replaced. Possible values:-
*
: match all text content - non-empty string
- regular expression
-
- optional, should be set if first parameter is set. String to replace the response text content matched by pattern. Empty string to remove content. Defaults to empty string.
- optional, string of space-separated properties to match; possible props:
- string or regular expression for matching the URL passed to fetch call; empty string, wildcard
*
will match all fetch calls - colon-separated pairs
name:value
where:-
name
is init option name -
value
is string or regular expression for matching the value of the option passed to fetch call
-
- string or regular expression for matching the URL passed to fetch call; empty string, wildcard
Tokens:
-
includes, pattern
: replace only ifpattern
match in the text response. Can be a plain string or a regex. 1.58.1b6
Scriptlet does nothing if response body can't be converted to text.
Solves uBlockOrigin/uBlock-issues#2742.
Examples:
example.com##+js(trusted-replace-fetch-response, adb_detect:true, adb_detect:false, example.com)
example.com##+js(trusted-replace-fetch-response, /#EXT-X-VMAP-AD-BREAK[\s\S]*?/, #EXT-X-ENDLIST, example.com)
example.com##+js(trusted-replace-fetch-response, *, , 'method:GET')
example.com##+js(trusted-replace-fetch-response, /#EXT-X-VMAP-AD-BREAK[\s\S]*?/, #EXT-X-ENDLIST, '/\.m3u8/ method:/GET|HEAD/')
example.com##+js(trusted-replace-fetch-response, *, , another_domain.com)
Also see:
trusted-replace-argument.js ↪
New in 1.55.1b18
Replace an argument passed to a method.
Syntax:
[...]##+js(trusted-replace-argument, propChain, argposRaw, argraw [,condition, pattern])
Parameters:
- required,
propChain
: The property chain to the function which argument must be replaced when called. - required,
argposRaw
: The zero-based position of the argument in the argument list. Use a negative number for a position relative to the last argument. - required,
argraw
: The replacement value, validated using the same heuristic as with theset-constant.js
scriptlet.- If the replacement value matches
json:...
, the value will be the json-parsed string afterjson:
- If the replacement value matches
repl:/.../.../
, the target argument will be replaced according the regex-replacement directive followingrepl:
1.61.3b1
- If the replacement value matches
Tokens:
-
condition, pattern
: The replacement will occur only when pattern matches the target argument.
Examples of usage:
alliptvlinks.com##+js(trusted-replace-argument, MutationObserver, 0, noopFunc)
scimagojr.com##+js(trusted-replace-argument, document.querySelector, 0, json:"body", condition, .ad-zone)
prevent-requestAnimationFrame.js ↪
New in 1.27.0.
Defuses calls to requestAnimationFrame()
function when parameter:
-
is not prefixed with
!
and matches the stringified callback argument torequestAnimationFrame()
; OR -
is prefixed with
!
and does not match the stringified callback argument torequestAnimationFrame()
.
Parameters:
- optional, string/regular expression, matching in the stringified callback argument passed to requestAnimationFrame.
Use with /^/
parameter to defuse all calls unconditionally.
When used without parameters, will log calls to requestAnimationFrame()
to the logger.
Examples:
bloomberg.com##+js(norafif, paywall-inline-tout)
Also see:
prevent-setInterval.js ↪
New in 1.23.0
Defuses calls to setInterval()
function when parameters:
-
are not prefixed with
!
and match thesetInterval()
argument; OR -
are prefixed with
!
and do not match thesetInterval()
argument.
Parameters:
- optional, string/regular expression, matching in stringified callback function
- optional, a value to match against the delay. Can be a single value for exact match, or a range:
-
min-max
: matches if delay >= min and delay <= max -
min-
: matches if delay >= min -
-max
: matches if delay <= max
-
Use with /^/
parameter to defuse all calls unconditionally.
When used without parameters, will log calls to setInterval()
to the logger.
Examples:
jpidols.tv##+js(nosiif)
finanzen.*##+js(nosiif, nrWrapper)
yachtrevue.at##+js(nosiif, text/css, 10)
Also see:
prevent-setTimeout.js ↪
New in 1.23.0
Defuses calls to setTimeout()
function when parameters:
-
are not prefixed with
!
and match thesetTimeout()
argument; OR -
are prefixed with
!
and do not match thesetTimeout()
argument.
Parameters:
- optional, string/regular expression, matching in stringified callback function
- optional, a value to match against the delay. Can be a single value for exact match, or a range:
-
min-max
: matches if delay >= min and delay <= max -
min-
: matches if delay >= min -
-max
: matches if delay <= max
-
Use with /^/
parameter to defuse all calls unconditionally.
When used without parameters, will log calls to setTimeout()
to the logger.
Test page: https://gorhill.github.io/uBlock/tests/scriptlet-injection-filters-1.html
Examples:
computerbild.de##+js(nostif, ())return)
lablue.*##+js(nostif, push, 500)
In 1.31.3b11 aliased as setTimeout-defuser.js
for backward compatibility.
Also see:
nowebrtc.js ↪
Disables WebRTC by preventing web pages from using RTCPeerConnection()
. Report attempts in console.
Examples:
x1337x.*##+js(nowebrtc)
Also see:
prevent-xhr.js ↪
New in 1.38.0.
Defuses XMLHttpRequest network requests by returning empty response. Based on no-fetch-if.js
.
Parameters:
- optional, space-separated list of conditions which must be ALL fulfilled in order for the defusing to take place:
- string/regular expression, prefixed by
!
for negation, matching in URL passed to XMLHttpRequestopen()
call - colon-separated
name:value
pairs of XMLHttpRequest methodopen()
parameter names (onlymethod
andurl
currently supported) and string/regular expression matching in value of passed argument.
- string/regular expression, prefixed by
- optional, directive; arguments to define the response body:
-
true
to randomize the response, random 10-character string 1.51.1b15 -
emptyObj
to return the response value as empty object 1.54.1rc2 -
emptyArr
to return the response value as empty array 1.54.1rc2 -
emptyStr
to return the response value as empty string 1.54.1rc2 -
length:min[-max]
to fulfill the response with randomized text with length specified, limited to 500000 characters 1.54.1b1 -
war:[name of resource]
to fulfill the response with the content of a web_accessible_resources resource 1.51.1b16
-
When used without parameters, the parameters passed to no-xhr-if
will be logged to the logger.
Examples:
example.com##+js(no-xhr-if, method:HEAD)
example.com##+js(no-xhr-if, adsbygoogle.js)
example.com##+js(no-xhr-if, adsbygoogle.js method:HEAD)
example.com##+js(no-xhr-if, /adsbygoogle.js$/ method:/HEAD|POST/)
example.com##+js(no-xhr-if, adsbygoogle.js, length:11000)
example.com##+js(no-xhr-if, doubleclick.net/instream/ad_status.js, war:doubleclick_instream_ad_status.js)
Also see:
trusted-prevent-xhr.js ↪
New in 1.60.1b3
Essentially the same as no-xhr-if
except that if the directive
argument is not a known token, it will be used as is as the response text of the xhr request, whereas prevent-xhr
returns an empty string when the directive is unknown.
Examples:
anitube.vip##+js(trusted-prevent-xhr, outbrain.com, outbrain)
koramaup.com##+js(trusted-prevent-xhr, googlesyndication, 'a.getAttribute("data-ad-client")||""')
set-attr.js ↪
New in 1.50.1b16.
Sets the specified attribute on the specified elements. This scriptlet runs once when the page loads then afterward on DOM mutations.
Parameters:
- required, CSS selector of DOM elements for which the attribute
attr
must be modified. - required, the name of the attribute to modify
- required, the value to assign to the target attribute. Possible values:
-
''
: empty string (default) true
false
- positive decimal integer:
0 <= value < 32768
-
[other]
: copy the value from attributeother
on the same element. This allows to copy the value of one attribute to another attribute on the same element.
-
Examples:
example.com##+js(set-attr, div.class > a.class, test-attribute, 0)
example.com##+js(set-attr, a > img, src, [data-src])
Solves uBlockOrigin/uBlock-issues#2347.
Also see:
trusted-set-attr.js ↪
New in 1.60.1b17
Sets the specified attribute on the specified elements. This scriptlet runs once when the page loads then afterward on DOM mutations.
Parameters:
- required, selector: A CSS selector for the elements to target.
- required, attr: The name of the attribute to be added.
- optional, value: The new value of the attribute. Since the scriptlet requires a trusted source, the value can be anything.
Examples:
example.com##+js(trusted-set-attr, body, class, some-class)
example.com##+js(trusted-set-attr, body, test-attribute, '[true, true]')
- Adds a "class" attribute to the body element with the value "some-class".
- Adds a "test-attribute" attribute to the body element with the value "[true, true]".
Also see:
remove-attr.js ↪
Deprecated by :remove-attr()
Filter authors must use the new operator instead of the +js()
counterpart.
Removes attribute(s) from DOM tree node(s). By default will run only once when the initial HTML document has been completely loaded and parsed but sub-resources such as scripts, images, stylesheets and frames are still loading.
Parameters:
- required, attribute or list of attributes joined by
|
- optional, CSS selector, specifies nodes from which attributes will be removed
- optional, new in 1.33, one or more space-separated tokens dictating the behavior of the scriptlet
-
asap
: added in 1.36.1b2, execute as soon as possible, do not wait for DOM to become available. -
stay
: This tells the scriplet to stay active and act on document changes. -
complete
: This tells the scriplet to start acting only when the document is complete, i.e. once all secondary resources have been loaded.
-
Examples:
userscloud.com##+js(ra, onclick, .btn-icon-stacked)
magesy.*,majesy.*##+js(ra, oncontextmenu)
zerodot1.gitlab.io##+js(ra, oncontextmenu|onselectstart|ondragstart)
example.com##+js(remove-attr, class, .j-mini-player, stay)
Also see:
remove-class.js ↪
Deprecated by :remove-class()
Filter authors must use the new operator instead of the +js()
counterpart.
New in 1.26.0.
Removes classes from DOM tree node(s). By default will run only once after page load. Syntax based on remove-attr.js
Parameters:
- required, class name or list of class names joined by
|
- optional, CSS selector, specifies nodes from which classes should be removed
- optional, new in 1.36, one or more space-separated tokens dictating the behavior of the scriptlet
-
stay
: This tells the scriplet to stay and act on DOM changes, while the default behavior is to act only once when the document becomes interactive. -
complete
: This tells the scriplet to start acting only when the document is complete, i.e. once all secondary resources have been loaded, while the default is to start acting when the document is interactive - which is earlier than when the document is complete.
-
Examples:
-
danskebank.fi##+js(rc, cookie-consent-banner-open, html)
Picture of the element
Also see:
trusted-replace-node-text.js ↪
New in 1.49.3b16
Replace text instance(s) with another text instance inside specific DOM nodes.
By default, the scriptlet will bail out when the document itself has been fully loaded, i.e. when DOMContentLoaded
event is fired.
The mutation observer of this scriptlet can be a significant overhead for pages with dynamically updated DOM, and in most cases the scriptlet is useful only for DOM changes occurring before the DOMContentLoaded
event, so the default is to quit out when that event is received ("quit out" means discarding the mutation observer and having the scriptlet garbage-collected by the JS engine).
Parameters:
- required, the name of the node for which the text content must be substituted. Valid node names can be found at: https://developer.mozilla.org/en-US/docs/Web/API/Node/nodeName
- required, a string or regex to find in the text content of the node as the target of substitution
- optional, the replacement text. Can be omitted if the goal is to delete the text which matches the pattern. Cannot be omitted if extra pairs of parameters have to be used (see below)
Tokens:
-
includes, pattern
: A string or regex which must be found in the text content of the node in order for the substitution to occur -
excludes, pattern
: A string or regex which must not be found in the text content of the node in order for the substitution to occur -
sedCount, n
: This will cause the scriptlet to stop aftern
instances of substitution. Since a mutation oberver is used by the scriptlet, it's advised to stop it whenever it becomes pointless. Default to zero, which means the scriptlet never stops -
stay, 1
: Force the scriptlet to stay at work forever -
quitAfter, ms
: This tells the scriptlet to quitms
milliseconds after the page has been loaded, i.e. after theDOMContentLoaded
event has been fired -
: This will cause the scriptlet to output information at the console, useful as a debugging tool for filter authorslog, 1
(deprecated, read about the new method of logging scriptlets)
Examples:
example.com##+js(rpnt, #text, /^Advertisement$/)
example.com##+js(rpnt, #text, Example Domain, Changed, condition, Example, stay, 1)
example.com##+js(rpnt, script, /devtoolsDetector\.launch\(\)\;/, , sedCount, 1)
Related discussions:
Also see:
remove-node-text.js ↪
New in 1.49.3rc15
Remove the whole text of a DOM node.
By default, the scriptlet will bail out when the document itself has been fully loaded, i.e. when DOMContentLoaded
event is fired.
The mutation observer of this scriptlet can be a significant overhead for pages with dynamically updated DOM, and in most cases the scriptlet is useful only for DOM changes occurring before the DOMContentLoaded
event, so the default is to quit out when that event is received ("quit out" means discarding the mutation observer and having the scriptlet garbage-collected by the JS engine).
Parameters:
- required, the name of the node for which the text content must be removed. Valid node names can be found at: https://developer.mozilla.org/en-US/docs/Web/API/Node/nodeName
- required, A string or regex to find in the text content of the node as the target of removing
Optionally, extra pairs of parameters (tokens) can be used to modify the behavior of the scriptlet.
Tokens:
-
includes, pattern
: A string or regex which must be found in the text content of the node in order for the removing to occur -
excludes, pattern
: A string or regex which must not be found in the text content of the node in order for the removing to occur -
sedCount, n
: This will cause the scriptlet to stop aftern
instances of removing. Since a mutation oberver is used by the scriptlet, it's advised to stop it whenever it becomes pointless. Default to zero, which means the scriptlet never stops -
stay, 1
: Force the scriptlet to stay at work forever -
quitAfter, ms
: This tells the scriptlet to quitms
milliseconds after the page has been loaded, i.e. after theDOMContentLoaded
event has been fired -
: This will cause the scriptlet to output information at the console, useful as a debugging tool for filter authorslog, 1
(deprecated, read about the new method of logging scriptlets)
Examples:
example.com##+js(rmnt, #text, Example)
example.com##+js(rmnt, #text, Example, condition, Exa)
example.com##+js(rmnt, script, timeLeft)
Also see:
trusted-replace-outbound-text.js ↪
New in 1.57.1b1
(currently alias trusted-rpot
is unsupported yet)
Replace the text in the outbound function call.
Parameters:
- required, a name of method for which the text content must be substituted
- required, a string or regex to match in the outbound text as the target of substitution,
if not provided or empty, the scriptlet will only log the outbound text without modifying it. - optional, the replacement string for the matched part,
can be omitted if the goal is to delete the text which matches the pattern.
Tokens:
-
condition, pattern
: is a vararg which tells the scriptlet to act only ifpattern
is found in the outbound text. -
encoding, base64
: Decode and encode outbound base64-encoded text before and after replacement. 1.58.1b3
Examples:
-
www.reddit.com##+js(trusted-replace-outbound-text, JSON.stringify)
(logging only) -
www.reddit.com##+js(trusted-replace-outbound-text, JSON.stringify, '/"csrf_token":"[^"]+",/')
matches and removes:"csrf_token":"ed5ce21c7d7c95c8662c7844c0f4a4dc",
from the JSON payload -
www.reddit.com##+js(trusted-replace-outbound-text, JSON.stringify, '/(?<="csrf_token":")[^"]+?(?=")/')
or
www.reddit.com##+js(trusted-replace-outbound-text, JSON.stringify, '/("csrf_token":")(?:[^"]+?)(")/', /$1$2/)
matchesed5ce21c7d7c95c8662c7844c0f4a4dc
or any similiar value in"csrf_token":"..."
and removes it resulting in empty value:"csrf_token":""
-
www.reddit.com##+js(trusted-replace-outbound-text, JSON.stringify, '/(?<="adblock":{"enabled":)true/', false)
matchestrue
in"adblock":{"enabled":true
and replaces it withfalse
resulting in a new spoofed value:"adblock":{"enabled":false
-
example.com##+js(trusted-replace-outbound-text, eval, ads:true, ads:false, encoding, base64)
For instance,eval('"YWRzOnRydWU="')
which decoded value is 'ads:true', will return 'YWRzOmZhbHNl' which is 'ads:false' after decoding.
When the replacement starts with json:
, it will be first decoded using JSON.parse() (since 1.59.1b8), example:
example.com##+js(trusted-replace-outbound-text, somefn, json:"ok")
The doublequotes are required since this is what JSON.parse() expects as a valid JSON string.
Solves related issues / discussions:
- Add a scriptlet to intercept atob call and prune its text output
- Add new scriptlet — 'trusted-replace-outbound-text'
- reddit.com: privacy
- trusted-replace-outbound-text
Also see:
href-sanitizer.js ↪
New in 1.47.5b4
Parameters:
- required, a CSS selector which matches the elements for which the scriptlet should replace the
href
attribute with the text content of the element, if ALL the following conditions are met:- The element is a link (
<a>
) element - The link element has an existing
href
attribute - The text content of the element is a valid
https
-based URL
- The element is a link (
- optional, the attribute from which to extract the text to be used for the
href
attribute of the link, otherwise the text content of the element will be used.- If the second parameter starts with
?
, the scriptlet will look up the value of the search parameter which name is what comes after the?
. (New in 1.49.3rc15). Supports ability to recursively unwrap search parameters. 1.58.1rc11
- If the second parameter starts with
Examples:
vk.com##+js(href-sanitizer, a[href^="/go?to="][title], [title])
vk.com##+js(href-sanitizer, a[href^="/away.php?to="][title], ?to)
-
<a href="https://app.adjust.com/2uo1qc?redirect=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dorg.mozilla.firefox&campaign=www.mozilla.org&adgroup=mobile-android-page">Text</a>
:mozilla.org##+js(href-sanitizer, a[href^="https://app.adjust.com/"][href*="?redirect="], ?redirect)
example.com##+js(href-sanitizer, a.clickTracker, ?r?u)
Solves Anti-redirect scriptlet for vk.com (href-sanitizer).
Also see:
prevent-refresh.js ↪
New in 1.38.7b3
Attempts to defuse reloading of a document through a meta "refresh" tag. Will stop navigation (call window.stop()
) at specified delay.
Parameters:
- optional, number (float), number of seconds until the page will be reloaded / when defuser should run. Will be derived from source tag when not specified.
Also see:
trusted-click-element.js ↪
New in 1.53.5rc13
Clicks elements on webpages. Can target single or multiple elements in a sequence. The scriptlet will abort after 10s timeout or after all the elements have been clicked. Also hidden elements can be targeted.
Parameters:
- required, a list of css selector(s). Multiple selectors must be quoted. Use
>>>
to select elements inside shadow root. (New in 1.54.1b3) - optional, Extramatch: conditions for the clicking to occur, cookies and localStorage are matched using the format
name:key[=value]
where the value is optional. Multiple conditions can be separated by comma. Prefix with!
to only click if the cookie/localStorage item does not exist. Supported names: 1.55.1b12-
cookie
: test string or regex against cookies -
localStorage
: test string or regex against localStorage
-
- optional, delay in ms how long the scriptlet will postphone the execution
Tokens:
: This will cause the scriptlet to output information at the console, useful as a debugging tool for filter authorslog, 1
(deprecated, read about the new method of logging scriptlets)
Examples:
example.com##+js(trusted-click-element, button.reject-all)
example.com##+js(trusted-click-element, '[for="CookiePurposes_1_"], [for="CookiePurposes_2_"], button.js-save')
example.com##+js(trusted-click-element, #cmpwrapper >>> .cmpboxbtnyes)
example.com##+js(trusted-click-element, #cmp-btn-accept, , 500)
example.com##+js(trusted-click-element, #cmp-btn-accept, !cookie:/^gpt_ppid[^=]+=/, 5000)
example.com##+js(trusted-click-element, button[name="agree"], 'cookie:cmpconsent, localStorage:promo=yes')
Also see:
set-constant.js ↪
Creates property and initializes it with a value from a predefined set.
Scriptlet will succeed only when:
- original property is
undefined
(scriptlet is called early enough) ornull
1.25.0 OR - new property written by
set.js
isundefined
ornull
1.25.0 OR - type of original property is equal to type of new property
Value set by scriptlet can be overwritten by page script when:
- current property was not set to
undefined
ornull
1.25.0 AND - new property is not
undefined
ornull
1.25.0 AND - type of original property is different than type of new property
Parameters:
- required, property (chain of properties joined by
.
) attached to window object - required, possible values:
- positive decimal integer, no sign, with maximum value of 0x7FFF (32767)
- one value from set of predefined constants:
undefined
false
true
-
null
2018-11-24 -
noopFunc
- function with empty body -
trueFunc
- function returning true -
falseFunc
- function returning false -
throwFunc
- function throwing an error1.59.1rc5 -
''
- empty string2019-01-06 -
[]
- empty array1.36 -
{}
- empty object1.36
● optional (deprecated in favor of "runAt" token)
▬▬► SPOILER START ◄▬▬
- optional, to defer execution of
set-constant
, possible values:- not present: execute immediately
- 1: execute immediately
-
interactive
,end
,2
: set the constant when the eventDOMContentInteractive
is fired -
complete
,idle
,3
: set the constant when the eventload
is fired
▬▬► SPOILER END ◄▬▬
Tokens:
- "runAt": when this parameter is present, uBO will take it into account to possibly defer execution of the scriptlet
new in 1.49.3b4, updated in 1.51.1rc0, solves uBlockOrigin/uAssets#7320:- "runAt" not present: execute immediately
-
loading
or1
: execute immediately -
interactive
orend
or2
: set the constant when the eventDOMContentLoaded
is fired -
complete
oridle
or3
: set the constant when the eventload
is fired
- "as": when this parameter is present, uBO will take it into account how the values will be returned
new in 1.49.3b13, updated in 1.51.1rc0, solves uBlockOrigin/uBlock-issues#2615:-
function
: the constant will be a function returning the specified value (is deprecated)asFunction
-
callback
: the constant will be a function returning a function returning the specified value (is deprecated)asCallback
-
resolved
: the constant will be a promise resolving to the specified value (is deprecated)asResolved
-
rejected
: the constant will be a promise failing with the specified value (is deprecated)asRejected
-
- "stack": considered to be implemented in the future, ideally, AdGuard would support its
stack
parameter as a vararg, to be discussed,
issue to be solved: https://github.com/uBlockOrigin/uBlock-issues/issues/2783- string or regular expression that must match the current function call stack trace, defaults to matching every call; if regular expression is invalid, it will be skipped
Examples:
kompetent.de##+js(set, Object.keys, trueFunc)
t-online.de##+js(set, abp, false)
identi.li##+js(set, t_spoiler, 0)
-
(deprecated)joysound.com##+js(set, document.body.oncopy, null, 3)
joysound.com##+js(set, document.body.oncopy, null, runAt, 3)
Also see:
trusted-set-constant.js ↪
Behaves exactly like set-constant, except that any arbitrary JSON-compatible value can be set.
By default the value is treated as a string, which can be anything.
If the value starts with {
and ends with }
, the value will be JSON-parsed, and the value
property of the resulting object will be used. Since 1.59.1b9, { "value": ... }
can be replaced with json:
.
Solves: https://github.com/uBlockOrigin/uAssets/discussions/18185#discussioncomment-5977456
Examples:
example.com##+js(trusted-set, prop, { "value": 100000 })
example.com##+js(trusted-set, prop, '{ "value": [ "one", "two", 3 ]}')
example.com##+js(trusted-set, prop, { "value": { "url": "about:blank" }})
Also see:
trusted-suppress-native-method.js ↪
New in 1.58.1rc0
This is a first draft version with current limitations:
- Does not support matching arguments which are object or array
- Does not support
stack
parameter
Syntax:
example.org#%#//scriptlet('trusted-suppress-native-method', methodPath, signatureStr[, how[, stack]])
Parameters:
- methodPath – required, string path to a native method (joined with
.
if needed). The property must be attached towindow
. - signatureStr – required, string of
|
-separated argument matchers. Supported value types with corresponding matchers:- string – exact string, part of the string or regexp pattern. Empty string
""
to match an empty string. Regexp patterns inside object matchers are not supported. - number, boolean, null, undefined – exact value,
- object – partial of the object with the values as mentioned above, i.e by another object, that includes property names and values to be matched,
- array – partial of the array with the values to be included in the incoming array, without considering the order of values.
- string – exact string, part of the string or regexp pattern. Empty string
To ignore specific argument, explicitly use whitespace as a matcher, e.g ' | |{"prop":"val"}'
to skip matching first and second arguments.
If signatureStr
parameter is not declared, the scriptlet will log all calls to methodPath
along with the arguments passed and will not prevent the trapped method.
Tokens:
- "how": optional, string, one of the following:
-
abort
– default, aborts the call by throwing an error, -
prevent
– replaces the method call with the call of an empty function. -
debug
– triggers adebugger
statement and the target method is not suppressed. Useful to find out how the method is being called by the page's code.
-
- "stack": optional, string or regular expression that must match the current function call stack trace.
Examples:
example.org##+js(trusted-suppress-native-method, localStorage.setItem, '/key/|"value"', prevent)
example.org##+js(trusted-suppress-native-method, Object.prototype.hasOwnProperty, '"test"')
example.org##+js(trusted-suppress-native-method, Node.prototype.appendChild, '{"id":"str"}', prevent)
example.org##+js(trusted-suppress-native-method, Document.prototype.querySelectorAll, '"div"')
example.org##+js(trusted-suppress-native-method, Array.prototype.concat, '[1, "str", true]')
example.org##+js(trusted-suppress-native-method, sessionStorage.setItem, ' |"item-value"', abort, someFuncName)
- Prevent
localStorage.setItem('test-key', 'test-value')
call matching first argument by regexp pattern and the second one by substring. - Abort
obj.hasOwnProperty('test')
call matching the first argument. - Prevent
Node.prototype.appendChild
call on element with the idtest-id
by object matcher. - Abort all
document.querySelectorAll
calls withdiv
as the first argument. - Abort
Array.prototype.concat([1, 'str', true, null])
calls by matching array argument contents. - Use stack argument to match by the call, while also matching the second argument.
Also see:
trusted-override-element-method.js ↪
New in 1.60.1b5
Override the behavior of a method on matching elements.
Parameters:
- required, methodPath: The method which calls must be intercepted.
- optional, selector: A CSS selector which the target element must match. If not specified, the override will occur for all elements.
- optional, disposition: How the override should be handled. If not specified, the overridden call will be equivalent to an empty function.
-
throw
: an exception will be thrown (throwsReferenceError
). -
debug
: triggers adebugger
statement if uBO's logger is opened. Useful for debugging purposes. - Any other value will be validated and returned as a supported safe constant.
-
Example:
streamsilk.com##+js(trusted-override-element-method, HTMLAnchorElement.prototype.click, a[target="_blank"][style])
trusted-prevent-dom-bypass.js ↪
New in 1.60.1b4
Prevent the bypassing of uBO scriptlets through anonymous embedded context.
Ensure that a target method in the embedded context is using the corresponding parent context's method (which is assumed to be properly patched), or to replace the embedded context with that of the parent context.
Root issue: https://issues.chromium.org/issues/40202434
Parameters:
- required, methodPath: The method which calls must be intercepted. The arguments of the intercepted calls are assumed to be HTMLElement, anything else will be ignored.
- optional, targetProp: The method in the embedded context which should be delegated to the parent context. If no method is specified, the embedded context becomes the parent one, i.e. all properties of the embedded context will be that of the parent context.
Examples:
##+js(trusted-prevent-dom-bypass, Element.prototype.append, open)
##+js(trusted-prevent-dom-bypass, Element.prototype.appendChild, XMLHttpRequest)
set-cookie.js ↪
New in 1.50.1b0.
Sets a cookie with the specified name, value, and path. Double quotes surrouding the cookie value are allowed.
Parameters:
-
required, cookie name to be set
-
required, cookie value; possible values:
- decimal integer:
>= -32767 && <= 32767
(<= 15
up to 1.56.1b18,>= 0
up to 1.61.1b0) - one of the predefined constants (in any case variation):
-
accept
/reject
, -
accepted
2 /rejected
2 /notaccepted
2, -
allow
/disallow
2 /deny
, -
allowed
2 /denied
, -
approved
5 /disapproved
5, -
checked
8 /unchecked
8, -
dismiss
/dismissed
, -
enable
2 /disable
2, -
enabled
2 /disabled
2, -
essential
7 /nonessential
7, -
forbidden
9 /forever
9, -
hide
6 /hidden
6, -
necessary
4 /required
4, -
ok
, -
on
1 /off
1, -
true
/t
3 /false
/f
3, -
yes
/y
/no
/n
-
- decimal integer:
-
optional, cookie path, defaults to /; possible values:
-
/
: root path -
none
: to set no path at all
-
1. 1.52.3b17
2. 1.52.3rc12
3. 1.53.1b8
4. 1.53.5rc5
5. 1.57.3rc1
6. 1.58.1b7
7. 1.58.1rc0
8. 1.59.1b5
9. 1.60.1b12
The scriptlet encodes cookie names and values, e.g value "{ test: 'value'}" becomes %7B%20test%3A%20'value'%7D
.
Tokens:
-
reload, 1
: the scriplet will force a reload of the webpage if the cookie being set was not already set. -
dontOverwrite, 1
: the scriptlet will not modify the cookie if it already exists.
; Secure
will be automatically used when cookie names starts with __Secure-
or __Host-
(since 1.58.1b8).
Examples:
example.com##+js(set-cookie, CookieConsent, 1)
example.com##+js(set-cookie, gdpr-settings-cookie, true)
example.com##+js(set-cookie, cookie_consent, ok, none)
Also see:
trusted-set-cookie.js ↪
Sets a cookie with arbitrary name and value, and with optional ability to offset cookie attribute 'expires' and set path.
New in 1.50.1b1.
Parameters:
- required, cookie name to be set
- required, cookie value. Possible values:
- arbitrary value
- empty string for no value
-
$now$
keyword for setting current time in ms, e.g 1667915146503. Can be used inside a string since 1.58.1b0 -
$currentDate$
keyword for setting current time as string, e.g 'Tue Nov 08 2022 13:53:19 GMT+0300' -
$currentISODate$
keyword for setting current time in ISO format as string, e.g '2024-07-07T12:10:00.641Z' (since 1.58.1rc0)
- optional, offset from current time in seconds, after which cookie should expire; defaults to no offset. Possible values:
- positive integer in seconds
-
1year
keyword for setting expiration date to one year -
1day
keyword for setting expiration date to one day
- optional, argument for setting cookie path, defaults to
/
; possible values:-
/
: root path -
none
: to set no path at all
-
Variadic parameters (must appears after required and optional parameters):
-
reload, 1
: the scriplet will force a reload of the webpage if the cookie being set was not already set. -
domain, [value]
: the scriptlet will set the domain of the cookie to value. -
dontOverwrite, 1
: the scriptlet will not modify the cookie if it already exists.
; Secure
will be automatically used when cookie names starts with __Secure-
or __Host-
.
Examples:
example.com##+js(trusted-set-cookie, cmpconsent, 1-accept_1)
example.com##+js(trusted-set-cookie, cmpconsent, $now$)
example.com##+js(trusted-set-cookie, cmpconsent, '{"accepted":true,"expire":$now$}')
example.com##+js(trusted-set-cookie, cmpconsent, accept, 259200)
example.com##+js(trusted-set-cookie, cmpconsent, accept, 1year)
example.com##+js(trusted-set-cookie, cmpconsent, decline, , none)
The second and third filters will set a cookie with new Date().getTime()
value.
The forth and fifth filters will set a cookie which will expire in 3 days or 1 year.
The sixth filter sets a cookie with no path.
Also see:
set-local-storage-item.js ↪
set-session-storage-item.js ↪
New in 1.50.1b4 and 1.50.1b12.
Set a local/session storage entry to a specific, allowed value. Scriptlet won't set item if storage is full. Double quotes surrouding the key value are allowed.
- required, key name to be set.
- required, key value; possible values:
- decimal integer
>= -32767 && <= 32767
(only<= 32767
up to 1.61.1b1) - one of the predefined constants:
-
''
: empty string -
undefined
,null
-
false
,true
-
on
,off
-
yes
,no
-
accept
,reject
1.57.3b9 -
accepted
,rejected
1.57.3b9 -
allowed
,denied
1.59.1b5 - any from
set-cookie
1.59.1b5 -
{}
: empty object -
[]
: empty array ""
-
$remove$
: remove specific item from localStorage
-
- decimal integer
Examples:
example.com##+js(set-local-storage-item, player.live.current.mute, false)
example.com##+js(set-local-storage-item, exit-intent-marketing, 1)
example.com##+js(set-local-storage-item, foo, $remove$)
example.com##+js(set-session-storage-item, player.live.current.mute, false)
example.com##+js(set-session-storage-item, exit-intent-marketing, 1)
example.com##+js(set-session-storage-item, foo, $remove$)
Solves uBlockOrigin/uBlock-issues#2697.
Also see:
trusted-set-local-storage-item.js ↪
trusted-set-session-storage-item.js ↪
New in 1.50.1b4 and 1.53.5rc7.
Parameters:
- required, key name to be set.
- required, key value; possible values:
- arbitrary value
-
$now$
: keyword for setting current time in ms,
corresponds toDate.now()
and(new Date).getTime()
calls, can be used inside a string since 1.57.3b8 -
$currentDate$
: keyword for setting string representation of the current date and time,
corresponds toDate()
and(new Date).toString()
calls, can be used inside a string since 1.57.3b8 -
$currentISODate$
: keyword for setting string representation of the current date and time in ISO format,
corresponds toDate()
and(new Date).toISOString()
calls, can be used inside a string since 1.57.3b8
Examples:
example.com##+js(trusted-set-local-storage-item, COOKIE_CONSENTS, {"preferences":3\,"flag":false})
example.com##+js(trusted-set-local-storage-item, providers, [16364\,88364])
example.com##+js(trusted-set-local-storage-item, player.live.current.play, $currentDate$)
example.com##+js(trusted-set-local-storage-item, ppu_main_none, '')
example.com##+js(trusted-set-session-storage-item, opd, 1.4)
Also see:
remove-cache-storage-item.js ↪
New in 1.55.1b23
Removes cache storage item.
Syntax: ...##+js(remove-cache-storage-item, cacheNamePattern[, urlPattern])
Parameters:
- required,
cacheNamePattern
: the name of the cache to target. Plain string or regex. - optional,
urlPattern
: the URL of the resource to remove. Plain string or regex.
If no pattern is provided, the whole cache is removed.
Reference: https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage
adjust-setInterval.js ↪
Adjusts interval for specified setInterval()
callbacks.
Parameters:
- optional, string/regular expression, matching in stringified callback function
- optional - defaults to 1000, decimal integer, matching interval. New in 1.33.0:
*
will match any interval. - optional - default to 0.05 (20x faster), float, capped at 50 times for up and down, interval multiplier
Examples:
identi.li##+js(nano-sib, , ,0.02)
platinmods.*##+js(nano-sib)
1ink.cc##+js(nano-sib, mSec, 1050)
Also see:
spoof-css.js ↪
Spoof the CSS property value when getComputedStyle()
or getBoundingClientRect()
are used.
Parameters:
- required, a valid CSS selector which matches the elements for which the spoofing must apply
- required, a CSS property name (can be dashed- or camel-cased)
- required, the value to return regardless of the currently computed value
Examples:
-
example.com##+js(spoof-css, .ad, clip-path, none) example.com##+js(spoof-css, .ad, _debug, 1)
There can be any number of selectors, grouped inside single quotes:
-
example.com##+js(spoof-css, 'a[href="x.com"], .ads, .bottom', clip-path, none)
There can be any number of property-name/property-value pairs, all separated by commas:
-
example.com##+js(spoof-css, .ad, clip-path, none, display, block)
Special properties: 1.61.1b4
-
_debug, 1
: Force the browser to break whengetComputedStyle()
orgetBoundingClientRect()
is called, useful to help pinpoint usage of those calls in the page's source code. -
_rectx, value
: Spoof theDOMRect.x
returned bygetBoundingClientRect()
. -
_recty, value
: Spoof theDOMRect.y
returned bygetBoundingClientRect()
. -
_rectw, value
: Spoof theDOMRect.width
returned bygetBoundingClientRect()
. -
_recth, value
: Spoof theDOMRect.height
returned bygetBoundingClientRect()
.
If both _rectw
and width
are present in the list of properties to spoof, _rectw
will have precedence over width
in the spoofing of getBoundingClientRect()
output. Same for _recth
.
Solves uBlockOrigin/uBlock-issues#2618.
Also see:
prevent-canvas.js ↪
New in 1.52.3b2
Prevent usage of specific or all (default) canvas APIs.
Syntax:
example.com##+js(prevent-canvas [, contextType])
Parameters:
- optional,
contextType
: A specific type of canvas API to prevent (default to all APIs). Can be a string or regex which will be matched against the type used in getContext() call. Prepend with!
to test for no-match.
Examples:
-
example.com##+js(prevent-canvas)
- preventsexample.com
from accessing all canvas APIs -
*##+js(prevent-canvas, /webgl/)
- prevents access to any flavor of WebGL API, everywhere -
example.com##+js(prevent-canvas, !2d)
- preventsexample.com
from accessing any flavor of canvas API except2d
References: https://developer.mozilla.org/en-US/docs/Web/API/HTMLCanvasElement/getContext
adjust-setTimeout.js ↪
Adjusts delay for specified setTimeout()
callbacks.
Parameters:
- optional, string/regular expression, matching in stringified callback function
- optional - defaults to 1000, decimal integer, matching delay. New in 1.33.0:
*
will match any delay. - optional - default to 0.05 (20x faster), float, capped at 50 times for up and down, delay multiplier
Examples:
bdupload.*##+js(nano-stb)
imgrock.*##+js(nano-stb, /.?/, 4000)
Also see:
sharedWorker-defuser.js ↪
Removed. Deprecated by $csp
filter option.
Defuses sharedWorker by passing empty worker file (Blob URL) for specified worker URLs
Parameters:
- optional, string/regular expression, matching in worker URL
webrtc-if.js ↪
Allows opening RTC connections to matching RTCIceServer only.
Parameters:
- required, string/regular expression, matching in
RTCIceServer
urls
,username
orcredential
.
close-window.js ↪
New in 1.39.3b10.
Closes fresh browser tabs of the specified page. Can also be used to close tabs which have been opened from other applications. Can be narrowed down to specific path by parameter. Whole browser window will be closed if it's the last/only tab (depends on browser configuration).
Improvements:
-
1.44.3b11, If the argument to the
window-close-if
scriptlet is a regex, the match will be against the whole location URL, otherwise the match will be against the part+query part of the location URL.
Parameters:
- optional, string, matching in the path and query part of the web page address or regular expression, matching in the whole location URL.
Examples:
acestream.com##+js(window-close-if, /plan/select?popup=noads)
-
example.com##+js(window-close-if, /^/)
- will close all new tabs going toexample.com
on any site. -
hostdl.com##+js(window-close-if, /^https?://(www\.)?hostdl\.com/)
- will close all new tabs matching either only base domain or www one (i.e. notlogin.hostdl.com
).
Also see:
prevent-window-open.js ↪
Prevent opening new windows by window.open()
when URL positively or negatively matches to specific string.
Improvements:
- 1.29.2, third parameter can now configure behavior of the scriptlet.
-
1.27.0,
nowoif.js
alias is now available. - 1.26.0 (one, two),
if second argument is present and a valid integer value, the defuser will return a valid window object even though no popup window is opened. The returned window object will cease to be valid after the specified number of seconds. If not present, no window will be opened and the scriptlet will returnnull
.
If the first argument is set to the special value debug
and the logger is opened, the scriptlet will trigger a debugger
statement and the prevention will not occur.
When used without parameters, will log calls to window.open()
to the logger.
Parameters:
- optional, string/regular expression, prefixed by
!
for negation, matching in all parameters passed towindow.open()
(all the arguments are joined as a single space-spearated string, and the result is used as the target for matching the pattern, new in 1.50.1b2), if not provided, all calls towindow.open()
are prevented. - optional, positive decimal integer, number of seconds after returned
window
object will be invalidated. - optional, possible values:
-
obj
: Use anobject
element instead ofiframe
element (default) as a decoy to be used in place of a popup window, when the page requires a validwindow
instance to be returned. -
blank
: Replace theurl
parameter withabout:blank
. 1.59.1b9
-
Tokens:
-
: Cause the scriptlet to log information regarding howlog, 1
window.open()
is used by the page on which the scriptlet is used.
(deprecated, read about the new method of logging scriptlets)
Examples:
file-up.org##+js(nowoif)
vidstream.*##+js(nowoif, !api?call=, 10, obj)
example.com##+js(nowoif, download-link, , , log, 1)
Also see:
window.name-defuser ↪
Clears window.name
property which can be misused for tracking purposes.
Parameters:
- none
overlay-buster.js ↪
Experimental, gets rid of overlay dialogs, works for ~30s after page load. Preferred way to handle overlays is to use standard cosmetic filters and optionally style injection.
alert-buster.js ↪
Disables alert()
dialog boxes by redirecting messages to console.
ampproject.org/v0.js ↪
Removes animation (artificial 8s delay) added to desktop pages supporting AMP, when ampproject.org scripts are blocked.
fingerprint2.js ↪
Fingerprintjs2 shim.
Also see: AdGuard fingerprintjs2
fingerprint3.js ↪
FingerprintJS v3 shim.
Also see: AdGuard fingerprintjs3
bab-defuser.js ↪
Defuses BlockAdblock. Prevents executing of eval()
on sets of predefined payloads.
Also see: AdGuard prevent-bab
nobab2.js ↪
Redirect resource. Defuses BAB 4.2b.
Also see: AdGuard prevent-bab2
fuckadblock.js-3.2.0 ↪
Convenience, Sanitize FuckAdBlock
, BlockAdBlock
, SniffAdBlock
, fuckAdBlock
, blockAdBlock
, sniffAdBlock
properties.
Often used as redirect in network filters. TODO: copy to redirect?
Also see: AdGuard prevent-fab-3.2.0
popads-dummy.js ↪
Convenience, sets static properties (PopAds
, popns
)
Also see: AdGuard set-popads-dummy
popads.net.js ↪
Convenience, abort-on-property-write.js (PopAds
, popns
), throws "magic
"
Also see: AdGuard prevent-popads-net
prebid-ads.js ↪
New in 1.41.0
Prebid-ads shim. canRunAds
/isAdBlockActive
?
Also see: AdGuard prebid-ads
These are smallest/shortest/fastest to execute files. Should be used in network filters as a parameter to $redirect
option.
They purpose is to mislead page to think that real files have been served.
- Images
- Source code
- Media files
- Special purpose
-
none
reserved token, can be used to disable specific redirect filters. Starting with 1.31.0, classic exception filters and
badfilter
option can be used. -
click2load.html
for embedded
<iframe>
elements. New in 1.31.0 (also 2e5d32e9, 46d7f8a7). Frames redirected to this resource will not be collapsed, instead, widget with clickable and selectable frame source link will be displayed. Clicking the icon next to source link will open frame content in new tab. Clicking the widget content will unblock and load original frame content.
-
Example rules:
||ad.server.com/$script,redirect=noop.js,domain=www.google.com
-
||dailymotion.com$3p,frame,redirect=click2load.html,domain=lemonde.fr
for example video link:
https://www.lemonde.fr/international/video/2024/08/23/en-images-le-discours-de-kamala-harris-pour-clore-la-convention-democrate_6291494_3210.html
-
||vimeo.com$3p,frame,redirect=click2load.html,domain=theregister.com
for example video link:
https://www.theregister.com/2024/08/01/a_fresh_approach_for_container/
amazon-adsystem.com/aax2/amzn_ads.js ↪
amazon_apstag.js ↪
New in 1.27.0.
doubleclick.net/instream/ad_status.js ↪
google-analytics.com/ga.js ↪
google-analytics.com/analytics.js ↪
google-analytics.com/inpage_linkid.js ↪
google-analytics.com/cx/api.js ↪
google-ima.js ↪
googletagservices.com/gpt.js ↪
googletagmanager.com/gtm.js ↪
googlesyndication.com/adsbygoogle.js ↪
scorecardresearch.com/beacon.js ↪
widgets.outbrain.com/outbrain.js ↪
hd-main.js ↪
Removed in 1.29.0.
Deprecated by general purpose scriptlets / outdated (please move to proper section if still used).
golem.de.js ↪
Deprecated, addEventListener-defuser
static.chartbeat.com/chartbeat.js ↪
Deprecated, sets static properties (pSUPERFLY.activity
, pSUPERFLY.virtualPage
)
ligatus.com/*/angular-tag.js ↪
Deprecated, sets static properties (adProtect
, uabpdl
, uabDetect
)
addthis.com/addthis_widget.js ↪
d3pkae9owd2lcf.cloudfront.net/mb105.js ↪
-
throw
: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/throw -
eval()
: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval -
setInterval()
https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/setInterval -
setTimeout()
https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/setTimeout) - regular expression: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#Writing_a_regular_expression_pattern
- element: https://developer.mozilla.org/en-US/docs/Web/HTML/Element
- property: https://developer.mozilla.org/en-US/docs/Glossary/property/JavaScript
- method: https://developer.mozilla.org/en-US/docs/Glossary/Method
- CSS selector: https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_Selectors
uBlock Origin - An efficient blocker for Chromium and Firefox. Fast and lean.
- Wiki home
- About the Wiki documentation
- Permissions
- Privacy policy
- Info:
- The toolbar icon
- The popup user interface
- The context menu
-
Dashboard
- Settings pane
- Filter lists pane
- My filters pane
- My rules pane
- Trusted sites pane
- Keyboard shortcuts
- The logger
- Element picker
- Element zapper
-
Blocking mode
- Very easy mode
- Easy mode (default)
- Medium mode (optimal for advanced users)
- Hard mode
- Nightmare mode
- Strict blocking
- Few words about re-design of uBO's user interface
- Reference answers to various topics seen in the wild
- Overview of uBlock's network filtering engine
- uBlock's blocking and protection effectiveness:
- uBlock's resource usage and efficiency:
- Memory footprint: what happens inside uBlock after installation
- uBlock vs. ABP: efficiency compared
- Counterpoint: Who cares about efficiency, I have 8 GB RAM and|or a quad core CPU
- Debunking "uBlock Origin is less efficient than Adguard" claims
- Myth: uBlock consumes over 80MB
- Myth: uBlock is just slightly less resource intensive than Adblock Plus
- Myth: uBlock consumes several or several dozen GB of RAM
- Various videos showing side by side comparison of the load speed of complex sites
- Own memory usage: benchmarks over time
- Contributed memory usage: benchmarks over time
- Can uBO crash a browser?
- Tools, tests
- Deploying uBlock Origin
- Proposal for integration/unit testing
- uBlock Origin Core (Node.js):
- Troubleshooting:
- Good external guides:
- Scientific papers