CSP

[Garito]

Hi!
Are you aware that your bookmarklet doesn't work with CSP implemented?

Ask if you need some help on that...

[zeman]

Wasn't aware of that and would love some pointers on how to deal with it.

[Garito]

Thinking slower, I don't know any way we could affect this directives (that's their main purpose: avoid external scripts to be avoided)
Would be nice to have a most informed opinion that mine. I know how it works and how to implement it (that's part of my job) but because of that

[quantumpacket]

This should not be the case. The browsers may to be breaking from the actual CSP 1.0 spec, which states:

Enforcing a CSP policy should not interfere with the operation of user-supplied scripts such as third-party user-agent add-ons and JavaScript bookmarklets.

But the specs don't go into detail regarding such a situation. The problem is arising due to the bookmarklet loading an external script. Common sense says the bookmarklet being whitelisted should have all it's actions whitelisted as well, but that's not happening.

There are some bug reports open for the following:
Firefox - https://bugzilla.mozilla.org/show_bug.cgi?id=866522
Chrome - https://code.google.com/p/chromium/issues/detail?id=233903

Also, W3C email thread http://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0061.html