How to disable CSP in Firefox for just bookmarklets?

security firefox bookmarklet

Today I have noticed that I am unable to run bookmarklets on https://github.com/ due to Content Security Policy (CSP) restrictions. Is there a way to disable CSP in Firefox for just bookmarklets, and not everything else?

I noticed the security.csp.enable option in about:config, but this would disable CSP completely. The following message is logged to console when activating a bookmarklet:

Timestamp: 04/22/2013 02:39:05 PM
Warning: CSP WARN:  Directive inline script base restriction violated

Source File: https://github.com/
Line: 0
Source Code:
javascript:...

Github says that it should work according to the spec, but no browser gets it right:

https://github.com/blog/1477-content-security-policy#bookmarklets

You should open a bug for your favorite browser for this issue, or vote for it:

  • Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=866522
  • Chromium: https://code.google.com/p/chromium/issues/detail?id=233903

You may try to convert your bookmarklets to GreaseMonkey userscripts. They run in a privileged environment and are not subject to CSP.

However of course intents of userscripts and bookmarklets are different - userscripts run automatically while bookmarklets on-demand. You may circumvent this e.g. by creating a <button> in the userscript, appending it to the page, and setting a onclick event listener on that button to fire the code of the bookmarklet.

Code should go like this:

// ==UserScript==
// @name            Name
// @description     Description
// @version         0.1
// @namespace       example.Lekensteyn
// @grant           none
// @include         http*://github.com/*/*/commit/*
// ==/UserScript==

var myBookmarklet = function () {
    // here goes the code of the bookmarklet
};

var newButton = document.createElement('button');
newButton.innerHTML = 'Execute my bookmarklet';

newButton.addEventListener('click', function(evt) {
    myBookmarklet();
});

document.getElementById('someElement').appendChild(newButton);

Taken nearly literally from my userscript which is also targeting GitHub. You can debug userscripts in Firebug using debugger; keyword in the script.

Note however that Firebug itself is for now also subject to CSP, so you can't e.g. execute code in console (but you can inspect your userscripts in "read-only" mode). This is being taken care of in this bug.


I have created a work-around "fix" for this issue using a Greasemonkey userscript (in Firefox). You can now have bookmarklets on all CSP and https:// sites, plus have your bookmarklets in a nice, easily-editable library file instead of being individually squished into a bookmark.

See: https://groups.google.com/d/msg/greasemonkey-users/mw61Ynw5ORc/Gl_BNUhtSq0J

Related

Too many log files being created in Temp folder
Prevent diff from checking for newline at end of file
After Windows 10 Fall Creators Update recent used app will launch on startup
Openstreetmap: getting data of color #dddde8?
React routing using components (PageRenderer)
Error: Tablespace for table xxx exists. Please DISCARD the tablespace before IMPORT
How do I programmatically create a full-width Adaptive Card?
Trying to catch the exitcode from PowerShell Invoke-command with a BAT file
Ruby, class attribute with limited range
Service Worker Registration Failed
python fitting curve with integral func
Google App is Published on Internal Test Track but Can't Be Found/Downloaded