How to disable CSP in Firefox for just bookmarklets?

Today I have noticed that I am unable to run bookmarklets on https://github.com/ due to Content Security Policy (CSP) restrictions. Is there a way to disable CSP in Firefox for just bookmarklets, and not everything else?

I noticed the security.csp.enable option in about:config, but this would disable CSP completely. The following message is logged to console when activating a bookmarklet:

Timestamp: 04/22/2013 02:39:05 PM
Warning: CSP WARN:  Directive inline script base restriction violated

Source File: https://github.com/
Line: 0
Source Code:
javascript:...

Github says that it should work according to the spec, but no browser gets it right:

https://github.com/blog/1477-content-security-policy#bookmarklets

You should open a bug for your favorite browser for this issue, or vote for it:

  • Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=866522
  • Chromium: https://code.google.com/p/chromium/issues/detail?id=233903

You may try to convert your bookmarklets to GreaseMonkey userscripts. They run in a privileged environment and are not subject to CSP.

However of course intents of userscripts and bookmarklets are different - userscripts run automatically while bookmarklets on-demand. You may circumvent this e.g. by creating a <button> in the userscript, appending it to the page, and setting a onclick event listener on that button to fire the code of the bookmarklet.

Code should go like this:

// ==UserScript==
// @name            Name
// @description     Description
// @version         0.1
// @namespace       example.Lekensteyn
// @grant           none
// @include         http*://github.com/*/*/commit/*
// ==/UserScript==

var myBookmarklet = function () {
    // here goes the code of the bookmarklet
};

var newButton = document.createElement('button');
newButton.innerHTML = 'Execute my bookmarklet';

newButton.addEventListener('click', function(evt) {
    myBookmarklet();
});

document.getElementById('someElement').appendChild(newButton);

Taken nearly literally from my userscript which is also targeting GitHub. You can debug userscripts in Firebug using debugger; keyword in the script.

Note however that Firebug itself is for now also subject to CSP, so you can't e.g. execute code in console (but you can inspect your userscripts in "read-only" mode). This is being taken care of in this bug.


I have created a work-around "fix" for this issue using a Greasemonkey userscript (in Firefox). You can now have bookmarklets on all CSP and https:// sites, plus have your bookmarklets in a nice, easily-editable library file instead of being individually squished into a bookmark.

See: https://groups.google.com/d/msg/greasemonkey-users/mw61Ynw5ORc/Gl_BNUhtSq0J