1

I have created a bookmarklet. When a user clicks it, it adds to the page a script element with a src. This src, which contains the actual code, then gets loaded and executed on the page. Standard bookmarklet stuff.

However, it has now stopped working on Facebook.com. The script element does get added to the body, but the src is never loaded. I checked the network tab and it doesn't even attempt to load it.

<script src="https://mysite/bookmarklet.js?1399316963279">
    Reload the page to get source for: https://mysite/bookmarklet.js?1399316963279
</script>

(Edit: I also get that reload message when the bookmarklet worked. So that's not directly to do with it.)

This issue only occurs with Facebook. The bookmarklet works with other pages, also https pages (gmail). I've seen that other bookmarklets have this same issue on Facebook. I've tried in Firefox (and a bit in Chrome).

It used to work fine. Not sure when it stopped.

Any way around it?

EDIT: Now with the bookmarklet script.

javascript:(function(){var%20s=document.createElement('script');p='';if(location.protocol%20===%20'https:'){p='s';}%20s.setAttribute('src','http'+p+'://mysite/bookmarklet.js?'+new%20Date().getTime());document.getElementsByTagName('body')[0].appendChild(s);})();
user984003
  • 28,050
  • 64
  • 189
  • 285
  • What does your bookmarklet code look like that runs? [I am not going to sign up for a service to get their code] – epascarello May 05 '14 at 19:06
  • This might help: http://stackoverflow.com/questions/8486165/what-can-cause-a-persistent-reload-the-page-to-get-source-for-error-in-firebug – Jordan Running May 05 '14 at 19:11
  • @Jordan That it something different, more of a general issue, not to do with javascript injection or bookmarklets. Also, I just checked and I get that "reload .." message even on sites where the bookmarklet works. So it's not that. – user984003 May 05 '14 at 19:17
  • Check your Javascript console for errors — anything in there about a Content-Security-Policy? –  May 05 '14 at 20:05
  • Nope, not seeing any errors. – user984003 May 05 '14 at 20:21
  • I wonder why you decided to do it that way? Couldn't you just put the script itself in the bookmarklet rather than putting a script tag linking to an external domain? – tomysshadow May 05 '14 at 21:02
  • This is pretty standard. The script is 600 lines long. This allows allows me to make updates. Otherwise the user needs to add a new button every time I make a change to the code. – user984003 May 06 '14 at 15:21

1 Answers1

2

If you have a look at the headers sent from facebook.com you will see the following:

content-security-policy: default-src *;script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net *.atlassolutions.com chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl;style-src * 'unsafe-inline';connect-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net ws://*.facebook.com:* http://*.akamaihd.net https://fb.scanandcleanlocal.com:* *.atlassolutions.com http://attachment.fbsbx.com https://attachment.fbsbx.com;

They are whitelisting the domains that scripts can be loaded from which is why yours is being blocked.

Rob M.
  • 35,491
  • 6
  • 51
  • 50
  • Do you know if a Firefox add-on would get around this? It works with my Chrome extension? – user984003 May 06 '14 at 01:09
  • It mostly likely would get around this as long as it wasn't including third-party scripts as the page can't tell the difference between user-scripts and inline javascript. – Rob M. May 06 '14 at 01:37
  • This seems to be the issue. btw, I just tried and I can inject javascript using an add-on, but can't get it to make a request to my site http://stackoverflow.com/questions/23501645/content-security-policy-and-facebook-add-on-not-working – user984003 May 07 '14 at 06:13