3

I have a bookmarklet which uses jQuery and parses some elements on the page. To use jQuery, i am creating a script tag(with src as the jQuery URL) dynamically and appending to the head tag. This works well for many sites. But, there are few sites like Facebook, for which the bookmarklet is not able to inject the external JS file into the dom.I came to know that this behaviour is because of the response header "Content Security Policy" which prohibits the inclusion of scripts from any other unauthorized domain. This is to prohibit XSS atacks.

I have a genuine case to insert an external JS file into the DOM. Is there any workaround to by pass the Content Security Policy?

Engineer2021
  • 3,288
  • 6
  • 29
  • 51
Karthik TU
  • 151
  • 1
  • 8

3 Answers3

1

The spec says (at least I think it still does) that CSP should not prevent bookmarklets, but no browser has implemented this. Your only option is to disable CSP in the browser or use an extension.

oreoshake
  • 4,712
  • 1
  • 31
  • 38
  • I found this answer when encountering a similar problem. How can we disable CSP in the browser? Are there any extensions you would recommend that do this? Thanks – Eric Hepperle - CodeSlayer2010 Oct 24 '17 at 16:11
  • I’m sorry, I don’t know of one to recommend but I understand it’s fairly easy to modify response headers in extensions. For example, the caspr enforcer chrome extension overrides (but doesn’t remove) csp. You could also run a proxy that strips the headers. – oreoshake Oct 29 '17 at 07:21
1

Self-contained bookmarklets are another possibility. Here's jQuery 3.3.1.

Dan
  • 79
  • 9
1

Take 

javascript:(function(){

})();

And fill the empty line with the jQuery source code, for example the contents of https://code.jquery.com/jquery-3.4.1.min.js . Afterward set it as URL of your bookmark(let).

loxx
  • 119
  • 4