investigation: Script proxy interceptor uBlock limitations#2
Merged
matheusmaiberg merged 13 commits intomainfrom Jan 28, 2026
Merged
Conversation
Documents why JavaScript-level URL redirection cannot bypass uBlock Origin's network-layer blocking mechanism. Explains the architectural limitation and recommends focusing on proven methods (first-party proxy, cookies, server-side). Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ❌ Deployment failed View logs |
tracklay | 51a7e42 | Jan 28 2026, 08:38 PM |
Add CLAUDE.md with:
- Project architecture overview (8-module structure)
- Configuration management system
- Request routing and handlers
- Ultra-aggressive obfuscation mode (v3.0.0)
- Development workflow and deployment guide
- Key files reference and important decisions
Add feature module stubs (unimplemented):
- src/cache/dynamic-endpoints.js: Dynamic UUID-to-URL mapping
- src/handlers/dynamic-proxy.js: /x/{uuid} proxy handler
- src/proxy/url-extractor.js: URL extraction from JavaScript
These modules enable full script proxy mode for 100% first-party tracking.
Not yet integrated into router (in development).
Features: +289 insertions
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
…XY config Modernize codebase with ES6+ syntax and null-safety operators: - Replace function declarations with arrow functions (all modules) - Replace || with ?? (nullish coalescing) for safer falsy value handling - Replace || with optional chaining (?.) for nested property access - Use destructuring in parameters (src/handlers/*, src/core/*, src/utils/*) - Simplify conditional logic with modern patterns (ternaries, short-circuit) - Remove unnecessary intermediate variables - Improve type safety in null checks Add FULL_SCRIPT_PROXY configuration: - New CONFIG.FULL_SCRIPT_PROXY property (default: true) - Enables full script proxy mode for dynamic endpoint substitution - Integration with environment variables from wrangler.toml - Comprehensive JSDoc documentation of feature Improve router.js documentation: - Add comprehensive module-level JSDoc with architecture overview - Document ultra-aggressive obfuscation mode (scripts+endpoints same path) - Add routing table showing all supported routes - Improve method documentation with @param/@returns JSDoc - Clarify routing differentiation strategy (HTTP method vs query params) Affected 56 files: src/config/, src/core/, src/handlers/, src/proxy/, src/middleware/, src/headers/, src/utils/, src/routing/, src/cache/, worker.js No functional changes to core logic, improves maintainability and safety. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Remove 18 documentation files from v2.x (BUG-BOUNTY, CAPI-V2, MIGRATION-V3, etc) Remove 6 Shopify integration examples (custom-pixel, server-side, tag-theme, etc) Preserve investigation findings by moving to docs/organizar/ for reference Migrate docs to cleaner, archived structure for historical lookup Update README.md and README.pt-BR.md: - Remove dead links to deleted documentation files - Replace with centralized reference to CLAUDE.md developer guide - Add link to docs/shopify/examples/advanced/ for code examples - Simplify documentation navigation for users Benefits: - Reduces main docs noise (9109 lines removed) - Focuses documentation on current v3.0.0 implementation - Maintains historical documentation in organized archive - Centralizes all setup/deployment info in CLAUDE.md Cleanup: -9109 lines, consolidates 24 obsolete docs Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Add README.es.md with complete Spanish translation of: - Project overview and value proposition - Ultra-aggressive obfuscation mode documentation - Full Script Proxy feature explanation - Three deployment modes - Quick start guide (15 minutes) - Configuration options and advanced UUID rotation - Performance and security features - Troubleshooting guide - Real-world case studies - Project history and roadmap Update README.md and README.pt-BR.md: - Add Spanish language selector (🇪🇸 Español) - Maintain language switcher consistency across all versions - Link to README.es.md from both English and Portuguese versions Languages supported: English, Português, Español Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Add two new language translations to expand global documentation: README.fr.md (Français): - Complete French translation of project overview - Ultra-aggressive obfuscation mode explained - Full Script Proxy feature documentation - Three deployment modes guide - Quick start in 15 minutes - Configuration and advanced options - Performance optimization details - Security features documented - Real-world case studies from European market - Troubleshooting guide README.de.md (Deutsch): - Complete German translation of project overview - Ultra-aggressive obfuscation strategy - Full Script Proxy implementation details - Three deployment approaches - 15-minute quick start guide - Configuration options documented - Advanced UUID rotation explained - Performance and security features - DACH market case studies - Comprehensive troubleshooting section Update all README files: - Add French and German language selectors - Maintain consistent language switcher format - 5 languages now supported: English, Portuguese, Spanish, French, German Languages supported: 🇺🇸 English, 🇧🇷 Português, 🇪🇸 Español, 🇫🇷 Français, 🇩🇪 Deutsch Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
…hopify) Remove noscript iframe fallback from module.gtm-loader.js: - Shopify requires JavaScript to be enabled - noscript fallback is unnecessary overhead - buildGtmIframeUrl() function removed (no longer used) - Updated JSDoc to reflect script-only implementation Changes: - Remove noscript iframe injection from init() function - Remove buildGtmIframeUrl() helper function - Update module description: removed "noscript iframe fallback" mention - Update init() JSDoc: removed step 6 about noscript fallback This simplifies the GTM loader and reduces unnecessary DOM manipulation. Pure JavaScript initialization is sufficient for Shopify environments. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
…d environment)
Remove unreliable addEventListener from DOMContentLoaded in GTM loader:
- Shopify Custom Pixel runs in a sandboxed environment
- addEventListener may not behave as expected in sandbox
- Rely on setTimeout retry mechanism which is more reliable
- Simpler and more predictable initialization flow
Changes:
- Remove document.addEventListener('DOMContentLoaded', tryInit)
- Keep setTimeout retry mechanism (50ms initial retry)
- Add comment explaining why addEventListener is not used
- Still check document.readyState for immediate initialization
This ensures initialization works reliably in Shopify's restricted environment.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
…ocumentation Replace synchronous setTimeout polling with async/await initialization pattern for better readability and Shopify sandbox compatibility. Add detailed JSDoc comments explaining: - Document readyState polling approach (more reliable than addEventListener) - Why addEventListener doesn't work in Shopify Custom Pixel sandbox - Exponential backoff retry mechanism for handling transient failures - Shopify's recommended async initialization pattern - All DOM ready states and their equivalents This follows Shopify's official recommendations for Custom Pixel initialization and improves code maintainability for future developers. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Delete obsolete v2.x documentation files that are no longer relevant: - BUGS-FIXED.md, BUGS-FOUND.md, LOGIC-ERRORS.md - INSTALL-ULTIMATE.md, TEST-COMMUNICATION.md - SCRIPT-PROXY-INVESTIGATION.md (moved to docs/organizar/ for historical reference) Simplify module naming by removing redundant "event-" prefix: - module.event-builder.js → module.builder.js - module.gtm-loader.js → module.loader.js - module.event-orchestrator.js (deleted - functionality merged into init pattern) This improves code clarity and reduces documentation clutter from v2.x era. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
The retry mechanism used arguments.callee() which is deprecated and fails in strict mode. Refactored to use a properly named function retryInitialization(attemptNum) for clean recursion. Changes: - Extracted retry logic into separate named function - Eliminates deprecated arguments.callee() pattern - More readable and maintainable for debugging - Proper exponential backoff with named recursion - Added JSDoc for retry function explaining the pattern This ensures the retry mechanism will work correctly in all JavaScript contexts including strict mode and optimized environments. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Server-side event tracking (/cdn/events endpoint) - Auto-conversion for uppercase container IDs - CORS and UUID rotation fixes - ES6+ code modernization (56 files) - 5-language documentation support - No breaking changes from v3.0.0 Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Convert PROXY.DOMAIN from computed getter to static string - Remove Object.freeze from PROXY to improve compatibility - Keep DOMAIN as direct property for reliable access via getConfig() Resolves: TypeError when accessing GTM.PROXY.DOMAIN in Shopify sandbox Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
matheusmaiberg
deleted the
investigation/script-proxy-ublock-limitations
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
After testing the JavaScript-level script proxy interceptor with uBlock Origin enabled, we discovered that this approach cannot bypass uBlock because the ad-blocker operates at the browser's network layer, not the JavaScript layer.
The interceptor code is functionally correct (fixed critical bugs in fetch/XHR/beacon argument passing), but network-layer blocking happens BEFORE JavaScript execution.
Key Findings
✅ What Works:
❌ What Doesn't Work:
/lib/*requestsRoot Cause
uBlock Origin intercepts at the browser's network protocol layer:
Recommendation
See SCRIPT-PROXY-INVESTIGATION.md for detailed analysis.
Co-Authored-By: Claude Haiku 4.5 noreply@anthropic.com