Bookmarklet and CSP

[brutasse]

github.com implements Content-Security-Policy to provide a whitelist of domains from which to load assets. When using the bookmarklet the loading of load.js is forbidden since subtome.com is not in the list of allowed sources.

This only affects the bookmarklet and probably means that browser extensions will be needed for other browsers than Chrome as people implement CSP in their websites.

[brutasse]

Hah, apparently the CSP spec says bookmarklets shouldn't be impacted and browsers (Firefox in this case) are limiting things a bit too much.

[julien51]

It looks like Chrome does the same actually :/ That's a bit rough. Any idea about what we could do? Thanks!

[brutasse]

Hah, I hadn't tested on Chrome, it fails as well here…

I guess the best we could do is file bug reports on the Firefox and Chrome/Webkit bug trackers. I didn't find any mention of bookmarklets on their bug trackers.

https://bugs.webkit.org/buglist.cgi?quicksearch=CSP https://bugzilla.mozilla.org/show_bug.cgi?id=CSP

There is also http://csptesting.herokuapp.com/ which doesn't seem to be testing bookmarklets (well, how would it?).

The github blog post mentions bookmarklets, maybe it'll be noticed by browser teams.

I have a couple of contacts on the WebKit team, maybe I can ping them about that…

[julien51]

Indeed, it looks like it's going to be a problem. I submitted 2 issues:

• https://bugs.webkit.org/show_bug.cgi?id=115328
• https://bugzilla.mozilla.org/show_bug.cgi?id=866522

Let's hope that these get addresses eventually. the great news though is that both the FF and the Chrome extensions are not affected at this point by CSP.

[julien51]

I'm still waiting for browser vendors to fix this!

[dragon788]

@julien51 Still working on this?

[julien51]

@dragon788 I guess I'm still waiting for fixes from the browser vendors :(

[sjehuda]

Can someone please test this (more) bookmarklet?

javascript:location.href='https://www.subtome.com/#/subscribe?resource='+document.URL;

javascript:window.open(location.href='https://www.subtome.com/#/subscribe?resource='+document.URL);