Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
253 views
in Technique[技术] by (71.8m points)

javascript - Does Content Security Policy block bookmarklets?

Does Mozillas CSP block to execute Javascript from a bookmark by default?

Can it be configured to do so?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

As of 2017, the answer is still a definitive "maybe" - just like when this answer was originally posted in 2011. The specification clearly says:

Policy enforced on a resource SHOULD NOT interfere with the operation of user-agent features like addons, extensions, or bookmarklets.

And this is indeed the behavior I see in Chrome 61: a bookmarklet will run on https://addons.mozilla.org/, a site that has a strict content security policy without script-src: 'unsafe-inline'. Yet in Firefox 56 bookmarklets won't run on this website and a CSP violation is being reported.

There is a very long discussion on this issue in the Firefox bug report, in particular linking to a similar discussion on the W3C spec. So as of now, you cannot really rely on bookmarklets being unaffected by CSP. You can always disable CSP altogether, but that's one important protection layer less for you.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...