0

I am creating a bookmarklet and this is the bookmarklet script which when clicked in bookmarks toolbar calls a javascript file which loads more content...On Google and Facebook, file BookmarkletAc.js does not get loaded and shows a message "Reload the page to get source for:...". On other websites this file is called and bookmarklet works fine, and i can not see what the problem is. File is blocked from loading, and i've read that there is no need to whitelist domain to Facebook or google, or am i wrong? What could be the problem.

<a onclick="alert('Drag button to toolbar');return false;" href="javascript:(function(){var head=document.getElementsByTagName('head')[0],script=document.createElement('script');script.type='text/javascript';script.src='//www.example.com/bookmarklet/BookmarkletAc.js?sId='+Math.floor(Math.random()*99999);head.appendChild(script);})();" class="bookmarklet-button">Add bookmarklet</a>
Dušan
  • 488
  • 2
  • 9
  • 23

1 Answers1

0

Facebook has a Content Security Policy which prevents any bookmarklet from working. A CSP can be set via the HTTP header for any page.

Based on my personal testing, Google's regular search pages do not block bookmarklets, but maybe you are testing on some other Google site or page.

I just answered a related question here: Content Security Policy for extensions and bookmarklets

Community
  • 1
  • 1
DG.
  • 3,417
  • 2
  • 23
  • 28
  • Thanks for your answer. The problem seems to be that my resources are from http, and not https, so mixed protocols are causing a security issue – Dušan Aug 28 '14 at 06:15
  • If that is true, then your question was misleading. Your example code contains `//www.example.com/...`, which indicated that the external script is to be loaded using a relative protocol, which indicated that you were aware of the mixed protocol issue. In all fairness then, you should accept my answer since it is the best answer given the question that was actually asked. – DG. Oct 01 '14 at 04:17