How to disable CSP in Firefox for just bookmarklets?

Today I have noticed that I am unable to run bookmarklets on https://github.com/ due to Content Security Policy (CSP) restrictions. Is there a way to disable CSP in Firefox for just bookmarklets, and not everything else?

I noticed the security.csp.enable option in about:config, but this would disable CSP completely. The following message is logged to console when activating a bookmarklet:

Timestamp: 04/22/2013 02:39:05 PM
Warning: CSP WARN:  Directive inline script base restriction violated

Source File: https://github.com/
Line: 0
Source Code:
javascript:...

Lekensteyn

Posted 2013-04-22T12:41:02.357

Reputation: 5 236

Answers

You may try to convert your bookmarklets to GreaseMonkey userscripts. They run in a privileged environment and are not subject to CSP.

However of course intents of userscripts and bookmarklets are different - userscripts run automatically while bookmarklets on-demand. You may circumvent this e.g. by creating a <button> in the userscript, appending it to the page, and setting a onclick event listener on that button to fire the code of the bookmarklet.

Code should go like this:

// ==UserScript==
// @name            Name
// @description     Description
// @version         0.1
// @namespace       example.Lekensteyn
// @grant           none
// @include         http*://github.com/*/*/commit/*
// ==/UserScript==

var myBookmarklet = function () {
    // here goes the code of the bookmarklet
};

var newButton = document.createElement('button');
newButton.innerHTML = 'Execute my bookmarklet';

newButton.addEventListener('click', function(evt) {
    myBookmarklet();
});

document.getElementById('someElement').appendChild(newButton);

Taken nearly literally from my userscript which is also targeting GitHub. You can debug userscripts in Firebug using debugger; keyword in the script.

Note however that Firebug itself is for now also subject to CSP, so you can't e.g. execute code in console (but you can inspect your userscripts in "read-only" mode). This is being taken care of in this bug.

jakub.g

Posted 2013-04-22T12:41:02.357

Reputation: 4 332

I don't understand... creating a button on the page to load the code when clicked doesn't work, it still throws a CSP exception – Michael – 2015-03-21T17:59:05.553

1The on-demand feature is very important. I have bookmarklets that insert a quick eval-textarea with some features that does not fill the a large part of the page, one for creating a QR code for the current page and some other smaller parts. Those are not GH-specific. The power of bookmarklets is that they can be created and removed very easily. GreaseMonkey was already installed, but that is not going to solve the CSP issue. Thanks for the suggestions, perhaps a solution for Firebug will also be of benefit for bookmarklets. – Lekensteyn – 2013-04-26T09:37:51.263

Unfortunately the Firebug fix will only fix Firebug itself. From Github blog entry on CSP: As made clear by the CSP spec, browser bookmarklets shouldn't be affected by CSP. (..) But, none of the browsers get this correct. All cause CSP violations and prevent the bookmarklet from functioning. Perhaps you should investigate the case more thoroughly and report an issue on Bugzilla.

– jakub.g – 2013-04-26T12:27:04.573

BTW you can use GM_registerMenuCommand to make a function invocation on-demand. Don't forget @grant GM_registerMenuCommand. It adds entry to Greasemonkey menu, accesible under (GM logo) > User Script Command.... That way you can easily convert your bookmarklets into userscripts.

– jakub.g – 2013-04-30T13:07:21.503

Github says that it should work according to the spec, but no browser gets it right:

https://github.com/blog/1477-content-security-policy#bookmarklets

You should open a bug for your favorite browser for this issue, or vote for it:

Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=866522
Chromium: https://code.google.com/p/chromium/issues/detail?id=233903

cweiske

Posted 2013-04-22T12:41:02.357

Reputation: 1 010

For the record, there is another Firefox bug specifically for basic bookmarklet functionality (less likely to get bogged down in discussion): https://bugzilla.mozilla.org/show_bug.cgi?id=1478037

– djpohly – 2018-10-22T18:42:03.600

To save others the click, bug 1478037 mentioned by @djpohly in the comment above is about allowing bookmarklets to run as long as they don't load external resources. – waldyrious – 2018-11-29T10:45:04.097

Many answers recommend user scripts (like TamperMonkey or GreaseMonkey) but I want to remember, that some pages are blacklisted for a reason by these extensions. (Sure, you can override the blacklisting, but the devs had security in mind and locked these pages out).

For example, I wanted to use a bookmarklet to quickly go to ReviewMeta from any Amazon listing, but Amazon blocked unsecure script sources (update: it wasn't blocked, but I had no-script on, it's a shame). The user script extensions are blacklisted on banking and shopping sites by default to prevent malicious user scripts from being installed / used.

(P.S. This is not an answer per se but I thought it would be useful to keep this in mind before getting your hands on a userscript just to find the page blacklisted and hesitating from un-blacklisting it.)

DBX12

Posted 2013-04-22T12:41:02.357

Reputation: 166

I have created a work-around "fix" for this issue using a Greasemonkey userscript (in Firefox). You can now have bookmarklets on all CSP and https:// sites, plus have your bookmarklets in a nice, easily-editable library file instead of being individually squished into a bookmark.

See: https://groups.google.com/d/msg/greasemonkey-users/mw61Ynw5ORc/Gl_BNUhtSq0J