vimium icon indicating copy to clipboard operation
vimium copied to clipboard

Published 20 hours ago verified publisher icon philc

Bookmarklets cannot be executed on sites with restrictive content security policies (CSP)

Open philc opened this issue 2 years ago • 3 comments

When opening bookmarklets (bookmarks with a javascript:// URL) via the Vomnibar, they will fail to run if the page has a restrictive CSP. The error is

Refused to execute inline script because it violates the following Content Security Policy directive

Examples of pages with restrictive CSPs: github.com, developer.mozilla.org.

This is a new limitation in Vimium v2.0 because we've moved to Manifest v3.

This is a known API limitation with the Manifest V3 and the intention is to eventually resolve it. The design for a userscripts API is being tracked in the w3c extensions repo. As of 2023-10-11, it doesn't look like implementation has yet been started in Chrome.

philc avatar Oct 11 '23 20:10 philc

For some power users who want to maintain the ability to instantly search and execute bookmarklets in pages with CSP while using the latest (distributed on the Store) version of Vimium, I found a Chrome Extension specialized in bookmarklets. Powerlet

note: The reason why this extension can execute bookmarklets in pages with CSP while Vimium can't simply is that it has not migrated to MV3, so don't regard it as a perfect solution.

@philc My apologies for promoting other extension here, I'll remove this comment if you don't like it immediately. I truly appreciate your hard work migrating to MV3, and hope the discussion and implementation of UserScripts API to progress nicely!

mkobayashime avatar Oct 20 '23 08:10 mkobayashime

FYI regarding:

The design for a userscripts API is being tracked in the w3c extensions repo. As of 2023-10-11, it doesn't look like implementation has yet been started in Chrome.

That issue was updated on 2024-03-20 with this comment: https://github.com/w3c/webextensions/issues/279#issuecomment-2010596620 that mentions:

This is implemented in Chrome.

rmacklin avatar Apr 03 '24 01:04 rmacklin

As far as I know, the new scripting API doesn't accept dynamic code - https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/scripting/executeScript says only JS files and functions in an extension package can be executed.

gdh1995 avatar May 19 '24 20:05 gdh1995