fix(extension): route Trusted-Types/CSP eval failures to the CSP-strip bypass (v0.17.7)

[ronaldeddings]

Summary

• MAIN-world eval on pages with a strict Trusted-Types CSP (require-trusted-types-for 'script') was rejected and returned early, never reaching the extension's existing per-tab CSP-header-strip + reload bypass. This routes Trusted-Types and userScript-CSP failures into that bypass so strict-Trusted-Types sites become eval-able.
• Refreshes the built content bundle to match source already on main (a11y out-of-flow portal visibility, MAIN-world pointerdown gesture for Radix/Floating-UI menus, double content-script injection guard).
• Bumps the version across all surfaces (extension manifests, package.json, CLI) to 0.17.7.

Behavior

Page CSP	Before	After
no CSP / unsafe-eval allowed	eval works	unchanged
unsafe-eval blocked	strip + reload → works	unchanged
require-trusted-types-for 'script'	early return → fails	strip + reload → works

Notes

• No new permissions or API surface; widens the trigger of an existing mechanism, not the mechanism.
• Not a Sparkle release — main merge only.

🤖 Generated with Claude Code

Summary by CodeRabbit

Version 0.17.7

• Chores

  • Version bumped to 0.17.7 across all packages and manifests

• Bug Fixes

  • Improved evaluation logic for scripts subject to Content Security Policy restrictions
  • Enhanced accessibility tree walker with better element visibility computation
  • Prevented duplicate content script injection

• New Features

  • Added cooperative click interception mechanism

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4b8e613e-acda-4325-8851-9e30d89939d1

📥 Commits

Reviewing files that changed from the base of the PR and between 9b8c4a6 and e008825.

📒 Files selected for processing (7)

• cli/version.ts
• extension/dist-mv2/background-electron.js
• extension/dist-mv2/content.js
• extension/dist-mv2/manifest.json
• extension/manifest.json
• extension/src/background/capabilities/evaluate.ts
• package.json

---

📝 Walkthrough

Walkthrough

The PR releases version 0.17.7. It tightens CSP/Trusted Types eval fallback control flow so blocked results fall through to the strip-and-reload path, gates accessibility tree landmark and heading nodes on computed element visibility, adds cooperative click interception via custom events, guards against duplicate content script handler registration, and bumps version strings across manifests and package files.

Changes

CSP / Eval Fallback, A11y Tree, Click Interception, Duplicate Guard

Layer / File(s)	Summary
CSP / Trusted Types eval fallback control flow extension/src/background/capabilities/evaluate.ts, extension/dist-mv2/background-electron.js	handleEvaluateActions fallback now returns early only when the fallback succeeds or encounters a non-CSP error; CSP-still-blocked results fall through to the strip-and-reload path. The ISOLATED/Trusted-Types branch no longer returns early on failure.
A11y tree visibility gating extension/dist-mv2/content.js	buildA11yTree's walk precomputes style and selfVisible per element; landmark and heading nodes are emitted only when selfVisible is true; isVisible accepts an optional precomputed style; child traversal uses Array.from; recursion depth only increments for visible landmarks.
Cooperative click interception and duplicate injection guard extension/dist-mv2/content.js	dispatchClickSequence installs a temporary __interceptor_click_ack capture listener and dispatches __interceptor_click; on acknowledgement it returns early, skipping the standard event sequence. Content script bootstrap uses globalThis.__interceptorContentLoaded to prevent re-registering the onMessage handler and keepalive timer on re-injection.

Version Bump to 0.17.7

Layer / File(s)	Summary
Version strings package.json, extension/manifest.json, extension/dist-mv2/manifest.json, cli/version.ts	Version incremented from 0.17.6 → 0.17.7 across all package and manifest files; VERSION constant in cli/version.ts updated from "0.17.2" → "0.17.7".

Sequence Diagram

sequenceDiagram
    participant ContentScript
    participant PageScript
    participant BackgroundSW

    rect rgba(100, 149, 237, 0.5)
        Note over ContentScript, PageScript: Cooperative Click Interception
        ContentScript->>ContentScript: install __interceptor_click_ack capture listener
        ContentScript->>PageScript: dispatchEvent(__interceptor_click, {x, y})
        alt interceptor ack received
            PageScript->>ContentScript: dispatchEvent(__interceptor_click_ack)
            ContentScript->>ContentScript: return early (skip pointer/mouse sequence)
        else no ack
            ContentScript->>ContentScript: dispatch standard pointer/mouse/click events
        end
    end

    rect rgba(144, 238, 144, 0.5)
        Note over ContentScript, BackgroundSW: CSP Eval Fallback
        ContentScript->>BackgroundSW: evaluate request
        BackgroundSW->>BackgroundSW: userScripts initial attempt
        alt still CSP-blocked after fallback
            BackgroundSW->>BackgroundSW: fall through to CSP-strip bypass + reload
            BackgroundSW->>BackgroundSW: MAIN world eval after CSP removed
        else fallback succeeded / non-CSP error
            BackgroundSW->>ContentScript: return fallback result
        end
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Hacker-Valley-Media/Interceptor#106: Introduces the same dispatchClickSequence cooperative interception flow (__interceptor_click / __interceptor_click_ack custom events) and the selfVisible-gated accessibility tree walker logic that this PR builds upon.

Poem

🐰 A rabbit hops through CSP walls,
checking if the eval truly falls.
Visible headings now appear,
while clicks cooperate with a cheer!
Duplicate guards keep scripts in line —
version 0.17.7 looks divine! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main fix: routing Trusted-Types/CSP eval failures to the CSP-strip bypass, and includes the version bump (v0.17.7) which is reflected throughout the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/eval-trusted-types-csp-bypass

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}