Bookmarklets don't work on https:// sites
I maintain a bookmarklet that people use as an aid with the site http://nbviewer.ipython.org. The bookmarklet simply looks at the user's current URL and then opens a new tab if the current URL parses to something that will work on nbviewer. As of Firefox 21 this bookmarklet doesn't work on https:// sites such as GitHub. It works on http:// sites and everything works fine in Chrome. Text of bookmarklet is at https://github.com/jiffyclub/open-in-nbviewer/blob/master/bookmarklet/nbviewer_bookmarklet.js. Is there anything I can do to get this working for people?
According to the Mozilla wiki bookmarklets should be unaffected by browser security settings: https://wiki.mozilla.org/Security/CSP/Specification#Non-Normative_Client-Side_Considerations.
Here's an example where the bookmarklet will work: http://iupr1.cs.uni-kl.de/~tmb/ncso/00-introduction.ipynb
And here's one where it won't: https://raw.github.com/jiffyclub/ipythonblocks/master/demos/Firework.ipynb
Modified
الحل المُختار
You can vote for this bug to show your interest in getting this fixed.
- bug 866522 - Bookmarklets affected by CSP
Please DO NOT comment in bug reports: https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
Read this answer in context 👍 2All Replies (4)
That is because of the CSP header that Github is sending.
I noticed this a while back when I wanted to check the CSS file with a bookmarklet and it didn't work.
X-Content-Security-Policy: default-src *; script-src 'self' https://github.global.ssl.fastly.net https://jobs.github.com https://ssl.google-analytics.com https://collector.githubapp.com https://analytics.githubapp.com; style-src 'self' 'unsafe-inline' https://github.global.ssl.fastly.net; object-src 'self' https://github.global.ssl.fastly.net
- https://developer.mozilla.org/en-US/docs/Security/CSP/Introducing_Content_Security_Policy
- https://developer.mozilla.org/en/Security/CSP/Introducing_Content_Security_Policy
Running bookmarklets would require to disable this security feature (security.csp.enable).
Of course this is not recommended.
According to https://wiki.mozilla.org/Security/CSP/Specification#Non-Normative_Client-Side_Considerations CSP should explicitly not interfere with the operation of bookmarklets. Does the fact that it does interfere mean there's a bug in Firefox?
The bookmarklet was working fine for Firefox users up until Firefox 21, and unless I'm wrong CSP is a bit older than that.
الحل المُختار
You can vote for this bug to show your interest in getting this fixed.
- bug 866522 - Bookmarklets affected by CSP
Please DO NOT comment in bug reports: https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
Great, thanks!