Menu
Does Mozillas CSP block to execute Javascript from a bookmark by default?
Can it be configured to do so?
621
Turn off the CSP for your entire browser in Firefox by disabling security. csp. enable in the about:config menu. Note: You must log in to the ELM instance in the new tab of the same browser before you access the resource or configuration picker through Publishing Document Builder.
As of 2017, the answer is still a definitive "maybe" - just like when this answer was originally posted in 2011. The specification clearly says:
Policy enforced on a resource SHOULD NOT interfere with the operation of user-agent features like addons, extensions, or bookmarklets.
And this is indeed the behavior I see in Chrome 61: a bookmarklet will run on https://addons.mozilla.org/, a site that has a strict content security policy without script-src: 'unsafe-inline'. Yet in Firefox 56 bookmarklets won't run on this website and a CSP violation is being reported.
There is a very long discussion on this issue in the Firefox bug report, in particular linking to a similar discussion on the W3C spec. So as of now, you cannot really rely on bookmarklets being unaffected by CSP. You can always disable CSP altogether, but that's one important protection layer less for you.
113
The behavior is specified in mozillas wiki.
CSP should not interfere with the operation of user-supplied scripts (such as browser add-ons and bookmarklets).
Have a look here: https://wiki.mozilla.org/Security/CSP/Specification#Non-Normative_Client-Side_Considerations
31
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
