admin管理员组

文章数量:1384701

I have a simple Javascript bookmarklet that I put together to run the contents of an appropriate GitHub repository against an external tool:

javascript:(function(){ 
    var isApex = false;
    var sourceLangs = document.getElementsByClassName('lang');
        for (var i = 0; i < sourceLangs.length; ++i) {
        var l = sourceLangs[i]; 
        if(l.innerHTML == 'Apex') {
            isApex = true;
            // alert('This is an Apex repo');
        }
    }
    if(location.hostname != 'github' || isApex == false) {
        alert('This is not a GitHub Apex repository!');
    }
    else {
         window.open(''+location.pathname);
    }

})();

When I run it in Chrome or IE (after running it through Daring Fireball's JS bookmarklet builder, it works fine. In Firefox, it generates Content Security Policy errors:

[15:33:19.318] Content Security Policy: Directive inline script base restriction violated @

I've read this SE question on the topic, and the github blog post about CSP, which acknowledges that CSP shouldn't interfere with bookmarklets, but at that time (April 2013), "none of the browsers get this correct." Is it currently the case that Firefox still gets this wrong, but Chrome & IE do?

I also found a blog post about user scripts & CSP, and there the author was able to deal with the issue by including the code from a github repo. I tried that, modifying my bookmarklet to: 

javascript:document.body.appendChild(document.createElement("script")).src=".js";void(0)

But unsurprisingly, that didn't work for a bookmarklet, as the calling code is still ing from the browser.

In short - any ideas on how to get this bookmarklet to work on Firefox?

I have a simple Javascript bookmarklet that I put together to run the contents of an appropriate GitHub repository against an external tool:

javascript:(function(){ 
    var isApex = false;
    var sourceLangs = document.getElementsByClassName('lang');
        for (var i = 0; i < sourceLangs.length; ++i) {
        var l = sourceLangs[i]; 
        if(l.innerHTML == 'Apex') {
            isApex = true;
            // alert('This is an Apex repo');
        }
    }
    if(location.hostname != 'github.' || isApex == false) {
        alert('This is not a GitHub Apex repository!');
    }
    else {
         window.open('https://githubsfdeploy.herokuapp./app/githubdeploy'+location.pathname);
    }

})();

When I run it in Chrome or IE (after running it through Daring Fireball's JS bookmarklet builder, it works fine. In Firefox, it generates Content Security Policy errors:

[15:33:19.318] Content Security Policy: Directive inline script base restriction violated @ https://github./Groundwire/Campaign-Combiner

I've read this SE question on the topic, and the github blog post about CSP, which acknowledges that CSP shouldn't interfere with bookmarklets, but at that time (April 2013), "none of the browsers get this correct." Is it currently the case that Firefox still gets this wrong, but Chrome & IE do?

I also found a blog post about user scripts & CSP, and there the author was able to deal with the issue by including the code from a github repo. I tried that, modifying my bookmarklet to: 

javascript:document.body.appendChild(document.createElement("script")).src="https://raw.github./tet3/GitHubInstallerBookmarklet/master/GHIBkmarklet.js";void(0)

But unsurprisingly, that didn't work for a bookmarklet, as the calling code is still ing from the browser.

In short - any ideas on how to get this bookmarklet to work on Firefox?

  • javascript
  • firefox
  • bookmarklet
  • content-security-policy
Share Improve this question edited May 23, 2017 at 11:43 CommunityBot 11 silver badge asked Nov 6, 2013 at 21:00 Thomas TaylorThomas Taylor 1637 bronze badges 1
  • Firefox 69 and newer doesn't block bookmarklets anymore on pages with strict CSP (bugzilla.mozilla/show_bug.cgi?id=1478037), although with some limitations. – Rafael Commented Sep 26, 2020 at 21:24
Add a ment  | 

3 Answers 3

Reset to default 4

I've looked at this issue as well, mostly in Firefox. I wasn't aware it would work in Chrome; that might be a recent change. Short of FF changing to recognize bookmarklets as being outside the policy (as it should!), there is no work around. The script won't run, full stop, you are dead in the water.

Alternatives:

1.) Create an addon; or utilize an existing addon like Greasemonkey to run a userscript.

2.) Run the code in the web console. In FF, CTRL+Shift+K gets you there in a jiffy.

3.) FF's developer scratch pad also works. If you save the code in a file, you can access it relatively quickly using Shift+F4 (open scratchpad) > File > Open Recent > select your file > CTRL+R (run).

As a workaround to CSP blocking bookmarklets, you can tell your bookmarklet to load an external CSS stylesheet with your JS code injected into it. This is how my Top News Feed bookmarklet does. See my other answer.

I have created a work-around "fix" for this issue using a Greasemonkey userscript (in Firefox). You can now have bookmarklets on all CSP and https:// sites, plus have your bookmarklets in a nice, easily-editable library file instead of being individually squished into a bookmark.

See: http://www.donnelly-house/programming/js/bookmarklets/bookmarklets.php

本文标签: Javascript bookmarklet on site with CSP in FirefoxStack Overflow

版权声明:本文标题:Javascript bookmarklet on site with CSP in Firefox - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744538376a2611455.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。