22

Does Mozillas CSP block to execute Javascript from a bookmark by default?

Can it be configured to do so?

Mike West
  • 5,097
  • 25
  • 26
PiTheNumber
  • 22,828
  • 17
  • 107
  • 180
  • Just curiosity, why would you want to disable bookmarklets? – ThiefMaster Sep 30 '11 at 08:17
  • I don't I just worried some one else might do that because they do not want to have Javascript injected on there webpage. – PiTheNumber Sep 30 '11 at 08:21
  • 2
    There are always things like greasemonkey. If the **user** decides that he wants to inject javascript in the website that will only affect himself it's nobody's right to prevent him from doing it. – ThiefMaster Sep 30 '11 at 08:24
  • Greasemonkey will have the same problem. They maybe able to rewrite the http header or change the browser settings. – PiTheNumber Sep 30 '11 at 08:35
  • I'm sure GM will not. It's a browser extension so it's generally immune to security restrictions - and scripts don't directly execute in the site's context. – ThiefMaster Sep 30 '11 at 08:37

4 Answers4

23

As of 2017, the answer is still a definitive "maybe" - just like when this answer was originally posted in 2011. The specification clearly says:

Policy enforced on a resource SHOULD NOT interfere with the operation of user-agent features like addons, extensions, or bookmarklets.

And this is indeed the behavior I see in Chrome 61: a bookmarklet will run on https://addons.mozilla.org/, a site that has a strict content security policy without script-src: 'unsafe-inline'. Yet in Firefox 56 bookmarklets won't run on this website and a CSP violation is being reported.

There is a very long discussion on this issue in the Firefox bug report, in particular linking to a similar discussion on the W3C spec. So as of now, you cannot really rely on bookmarklets being unaffected by CSP. You can always disable CSP altogether, but that's one important protection layer less for you.

Wladimir Palant
  • 56,865
  • 12
  • 98
  • 126
5

The behavior is specified in mozillas wiki.

CSP should not interfere with the operation of user-supplied scripts (such as browser add-ons and bookmarklets).

Have a look here: https://wiki.mozilla.org/Security/CSP/Specification#Non-Normative_Client-Side_Considerations

sfx
  • 287
  • 3
  • 8
4

Yes, the CSP blocks bookmarklets in Mozilla Firefox. There is a bug about it.

However, you can get around this restriction by injecting the JS code into an external CSS stylesheet, like my Top News Feed bookmarklet does:

External CSS:

#topnewsfeed { font-family: '(function(){/*payload*/})()'; }

Bookmarklet JS:

(function() {
    var a = document.createElement("link");
    a.rel = "stylesheet";
    a.href = "//niutech.github.io/topnewsfeed/topnewsfeed.css";
    a.onload = function() {
        var a = b.currentStyle ? b.currentStyle.fontFamily : document.defaultView.getComputedStyle(b, null).fontFamily;
        eval(a.replace(/^["']|\\|["']$/g, ""));
    };
    document.body.appendChild(a);
    var b = document.createElement("div");
    b.id = "topnewsfeed";
    document.body.appendChild(b);
})()

The bookmarklet loads a CSS file containing JS code, adds an element styled by this CSS, reads the element style attribute and eval the code.

Alex78191
  • 2,383
  • 2
  • 17
  • 24
niutech
  • 28,923
  • 15
  • 96
  • 106
  • 9
    `Refused to load the stylesheet 'https:///bookmarklet.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' 'unsafe-eval' assets-cdn.github.com".` – Michael Mar 21 '15 at 17:22
0

I have created a work-around "fix" for this issue using a Greasemonkey userscript (in Firefox). You can now have bookmarklets on all CSP and https:// sites, plus have your bookmarklets in a nice, easily-editable library file instead of being individually squished into a bookmark.

See: https://groups.google.com/d/msg/greasemonkey-users/mw61Ynw5ORc/Gl_BNUhtSq0J

Bill D
  • 31
  • 5
  • This method not work because the bookmarklet can't be executed (bookmarklet = `unsafe-inline`) – mems Jan 17 '17 at 13:31