Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bookmarklets cannot be executed on sites with restrictive content security policies (CSP) #4331

Open
philc opened this issue Oct 11, 2023 · 3 comments
Open

Bookmarklets cannot be executed on sites with restrictive content security policies (CSP) #4331

philc opened this issue Oct 11, 2023 · 3 comments
Labels
browser bug

Comments

@philc
Copy link
Owner

philc commented Oct 11, 2023
edited
Loading

When opening bookmarklets (bookmarks with a javascript:// URL) via the Vomnibar, they will fail to run if the page has a restrictive CSP. The error is

Refused to execute inline script because it violates the following Content Security Policy directive

Examples of pages with restrictive CSPs: github.com, developer.mozilla.org.

This is a new limitation in Vimium v2.0 because we've moved to Manifest v3.

This is a known API limitation with the Manifest V3 and the intention is to eventually resolve it. The design for a userscripts API is being tracked in the w3c extensions repo. As of 2023-10-11, it doesn't look like implementation has yet been started in Chrome.
philc added a commit that referenced this issue Oct 11, 2023
@philc
Use chrome.scripting.executeScript to open bookmarklets in the Vomnibar
10524a0 
This fixes #4329.

Note that bookmarklets will still raise an error if the site has a restrictive CSP. For the full
solution, we need a new API from Chrome. This is tracked in #4331.
@philc philc mentioned this issue Oct 11, 2023
Closed
@joobus joobus mentioned this issue Oct 13, 2023
Closed
@mkobayashime
Copy link
Contributor

mkobayashime commented Oct 20, 2023
edited
Loading

For some power users who want to maintain the ability to instantly search and execute bookmarklets in pages with CSP while using the latest (distributed on the Store) version of Vimium, I found a Chrome Extension specialized in bookmarklets.
Powerlet

note: The reason why this extension can execute bookmarklets in pages with CSP while Vimium can't simply is that it has not migrated to MV3, so don't regard it as a perfect solution.

@philc
My apologies for promoting other extension here, I'll remove this comment if you don't like it immediately.
I truly appreciate your hard work migrating to MV3, and hope the discussion and implementation of UserScripts API to progress nicely!

@xprnio xprnio mentioned this issue Oct 22, 2023
Closed
@newRoland newRoland mentioned this issue Nov 27, 2023
Open
@rmacklin
Copy link
Contributor

rmacklin commented Apr 3, 2024
edited
Loading

FYI regarding:

The design for a userscripts API is being tracked in the w3c extensions repo. As of 2023-10-11, it doesn't look like implementation has yet been started in Chrome.

That issue was updated on 2024-03-20 with this comment: w3c/webextensions#279 (comment) that mentions:

This is implemented in Chrome.

@gdh1995
Copy link
Contributor

gdh1995 commented May 19, 2024

As far as I know, the new scripting API doesn't accept dynamic code - https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/scripting/executeScript says only JS files and functions in an extension package can be executed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
browser bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@philc @rmacklin @gdh1995 @mkobayashime