Allow bookmarklets to run even when the CSP on the page would normally block javascript: execution

NEW
Assigned to

Status

()

P3
normal
7 months ago
5 days ago

People

(Reporter: bzbarsky, Assigned: bzbarsky, NeedInfo)

Tracking

(Depends on: 1 bug, Blocks: 1 bug, {DevAdvocacy})

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

This is a more restricted version of bug 866522.  This is just about allowing the bookmarklet to run.  If that bookmarklet tries to load subresources they would still be subject to CSP.
(Assignee)

Updated

7 months ago
Assignee: nobody → bzbarsky
Comment hidden (offtopic)
Keywords: DevAdvocacy
Created attachment 8994626 [details] [diff] [review]
Work in progress

Updated

7 months ago
Priority: -- → P3
(Assignee)

Updated

5 months ago
Flags: needinfo?(bzbarsky)

Comment 3

3 months ago
Is there any estimation, in which future Firefox-version this probably will be fixed?
Not yet.  I keep being pulled into dealing with higher-priority things.

Comment 5

3 months ago
This issue is exacerbated by the recent addition of CSP to Firefox-internal pages, especially network error pages in the case of archive.org/google cache/proxy bookmarklets.

Comment 6

3 months ago
Ah, so for clarity's sake, what you mean is that, in case a website cannot be reached and Firefox displays a network-error page, one cannot use a bookmarklet to go to the archived version of that page on e.g. the Internet Archive or Google Cache, nor can one use a bookmarklet to open the 'unreachable' page via a proxy site? That will probably affect quite a few users.

Comment 7

3 months ago
(In reply to swleefers from comment #6)
> Ah, so for clarity's sake, what you mean is that, in case a website cannot
> be reached and Firefox displays a network-error page, one cannot use a
> bookmarklet to go to the archived version of that page on e.g. the Internet
> Archive or Google Cache, nor can one use a bookmarklet to open the
> 'unreachable' page via a proxy site? That will probably affect quite a few
> users.

That's correct.
Comment hidden (advocacy)
Bill, as you might have noticed, I started working on this before I got pulled off to deal with various emergencies.

Now you could try to take that patch and work on fixing the resulting test failures.  Or you could try to not add noise to this bug that will make it harder on reviewers in the future.  But ranting about how no one plans to work on this when I have clearly done just that is a bit odd.

Comment 10

3 months ago
For what it's worth (and at the risk of creating extra noise), I wish to thank Boris for looking into this issue. Please don't feel pressured. I personally am thankful that I get to use an excellent browser for FREE that so many people continue to work on! Keep up the good work.

Tigt, thanks for confirming.
(Assignee)

Updated

3 months ago
Depends on: 965637
Flags: needinfo?(bzbarsky)
(Assignee)

Updated

3 months ago
Flags: needinfo?(bzbarsky)

Comment 11

2 months ago
I have several bookmarklets that are like these:

javascript:location.href='http://chart.apis.google.com/chart?cht=qr&chs=300x250&chl='+encodeURIComponent(location.href);void(0)

javascript:window.open(location.href,'_blank',"width=640,height=360,location=no,menubar=no,resizable=yes,scrollbars=no,status=no,titlebar=no,toolbar=no");void(0)

And some longish scripts that I just pasted into the bookmark as javascript:-url. No external resources loaded. Now I have to open the developer console, open the script in an text editor, copy -> paste, close developer console.

Just for that fixing this bug would be a godsend! :)
You need to log in before you can comment on or make changes to this bug.