X
Tap here to go to the mobile version of the site.

Support Forum

Bookmarklets don't work on https:// sites

Posted

I maintain a bookmarklet that people use as an aid with the site http://nbviewer.ipython.org. The bookmarklet simply looks at the user's current URL and then opens a new tab if the current URL parses to something that will work on nbviewer. As of Firefox 21 this bookmarklet doesn't work on https:// sites such as GitHub. It works on http:// sites and everything works fine in Chrome. Text of bookmarklet is at https://github.com/jiffyclub/open-in-nbviewer/blob/master/bookmarklet/nbviewer_bookmarklet.js. Is there anything I can do to get this working for people?

According to the Mozilla wiki bookmarklets should be unaffected by browser security settings: https://wiki.mozilla.org/Security/CSP/Specification#Non-Normative_Client-Side_Considerations.

Here's an example where the bookmarklet will work: http://iupr1.cs.uni-kl.de/~tmb/ncso/00-introduction.ipynb

And here's one where it won't: https://raw.github.com/jiffyclub/ipythonblocks/master/demos/Firework.ipynb

I maintain a bookmarklet that people use as an aid with the site http://nbviewer.ipython.org. The bookmarklet simply looks at the user's current URL and then opens a new tab if the current URL parses to something that will work on nbviewer. As of Firefox 21 this bookmarklet doesn't work on https:// sites such as GitHub. It works on http:// sites and everything works fine in Chrome. Text of bookmarklet is at https://github.com/jiffyclub/open-in-nbviewer/blob/master/bookmarklet/nbviewer_bookmarklet.js. Is there anything I can do to get this working for people? According to the Mozilla wiki bookmarklets should be unaffected by browser security settings: https://wiki.mozilla.org/Security/CSP/Specification#Non-Normative_Client-Side_Considerations. Here's an example where the bookmarklet will work: http://iupr1.cs.uni-kl.de/~tmb/ncso/00-introduction.ipynb And here's one where it won't: https://raw.github.com/jiffyclub/ipythonblocks/master/demos/Firework.ipynb

Modified by jiffyclub

Chosen solution

You can vote for this bug to show your interest in getting this fixed.

Please DO NOT comment in bug reports: https://bugzilla.mozilla.org/page.cgi?id=etiquette.html

Read this answer in context 2

Additional System Details

Application

  • User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.65 Safari/537.36

More Information

cor-el
  • Top 10 Contributor
  • Moderator
16864 solutions 152313 answers

That is because of the CSP header that Github is sending.
I noticed this a while back when I wanted to check the CSS file with a bookmarklet and it didn't work.

X-Content-Security-Policy: default-src *; script-src 'self' https://github.global.ssl.fastly.net https://jobs.github.com https://ssl.google-analytics.com https://collector.githubapp.com https://analytics.githubapp.com; style-src 'self' 'unsafe-inline' https://github.global.ssl.fastly.net; object-src 'self' https://github.global.ssl.fastly.net

Running bookmarklets would require to disable this security feature (security.csp.enable).
Of course this is not recommended.

That is because of the CSP header that Github is sending.<br /> I noticed this a while back when I wanted to check the CSS file with a bookmarklet and it didn't work. <pre><nowiki>X-Content-Security-Policy: default-src *; script-src 'self' https://github.global.ssl.fastly.net https://jobs.github.com https://ssl.google-analytics.com https://collector.githubapp.com https://analytics.githubapp.com; style-src 'self' 'unsafe-inline' https://github.global.ssl.fastly.net; object-src 'self' https://github.global.ssl.fastly.net </nowiki></pre> *https://developer.mozilla.org/en-US/docs/Security/CSP/Introducing_Content_Security_Policy *https://developer.mozilla.org/en/Security/CSP/Introducing_Content_Security_Policy Running bookmarklets would require to disable this security feature (security.csp.enable).<br /> Of course this is not recommended.

Question owner

According to https://wiki.mozilla.org/Security/CSP/Specification#Non-Normative_Client-Side_Considerations CSP should explicitly not interfere with the operation of bookmarklets. Does the fact that it does interfere mean there's a bug in Firefox?

The bookmarklet was working fine for Firefox users up until Firefox 21, and unless I'm wrong CSP is a bit older than that.

According to https://wiki.mozilla.org/Security/CSP/Specification#Non-Normative_Client-Side_Considerations CSP should explicitly not interfere with the operation of bookmarklets. Does the fact that it does interfere mean there's a bug in Firefox? The bookmarklet was working fine for Firefox users up until Firefox 21, and unless I'm wrong CSP is a bit older than that.
cor-el
  • Top 10 Contributor
  • Moderator
16864 solutions 152313 answers

Chosen Solution

You can vote for this bug to show your interest in getting this fixed.

Please DO NOT comment in bug reports: https://bugzilla.mozilla.org/page.cgi?id=etiquette.html

You can vote for this bug to show your interest in getting this fixed. *[https://bugzilla.mozilla.org/show_bug.cgi?id=866522 bug 866522] - Bookmarklets affected by CSP <i>Please DO NOT comment in bug reports: https://bugzilla.mozilla.org/page.cgi?id=etiquette.html</i>

Question owner

Great, thanks!

Great, thanks!