Closed
Bug 1077064
Opened 10 years ago
Closed 9 years ago
Bookmarklet regarded as inline script during enforcement of Content Security Policy
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 866522
People
(Reporter: j.zuckerman+mozilla, Unassigned)
Details
(Whiteboard: DUPEME)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2175.0 Safari/537.36
Steps to reproduce:
1. create a bookmarklet, e.g. "javascript:alert('bookmarklet');"
2. attempt to execute in a site which has a CSP and prevents "unsafe-inline" as a script-src, e.g. https://github.com/julianshapiro/velocity
Actual results:
Script is not executed, console shows "Content Security Policy: The page's settings blocked the loading of a resource: An attempt to execute inline scripts has been blocked"
Expected results:
I expected the script to execute, I could be wrong but it seems like a bookmarklet that the user purposefully put in their toolbar and clicked on should not be treated the same way as a "javascript:" href in the document.
There are tons of legit reasons to do this, for example the delicio.us or pocket bookmarklets.
Summary: Bookmarklet script incorrectly regarded as inline script during enforcement of Content Security Policy → Bookmarklet regarded as inline script during enforcement of Content Security Policy
|
||
Updated•10 years ago
|
Whiteboard: DUPEME
|
|
||
Comment 1•10 years ago
|
||
The basic issue, of course, is that the bookmarklet "feature" started out precisely as just navigation of the document to a javascript: URL, and that's all it's ever been...
+1 for a workaround. This is a negative user experience for experienced users. Our nemesis Chrome does not neuter bookmarklets!
|
||
Updated•9 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•