Doesn't work on Github due to "Content Security Policy"

[nyanpasu64]

The bookmarklet does not work on Github, and possibly other sites with CSP policies.

On a customized Firefox 69.0.3 install, I get >Content Security Policy: The page’s settings blocked the loading of a resource at https://unpkg.com/@mourner/[email protected]/bullshit.js (“script-src”).

On a vanilla Chrome 77.0.3865.90 install, I get Refused to load the script 'https://unpkg.com/@mourner/[email protected]/bullshit.js' because it violates the following Content Security Policy directive: "script-src github.githubassets.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback..

Windows 10 x64.

[mourner]

I'm not sure if there's a way around this. Can we modify the CSP dynamically in the bookmarklet, or would that be a bad thing to do security-wise?

[qgustavor]

Can we modify the CSP dynamically in the bookmarklet

You can't change CSP using JavaScript in a bookmarklet: the only ways to set CSP is using a HTTP header or a <meta> element; once set it can't be changed.

You can:

• Make a CSP friendly bookmarklet containing the entire bullshit.js code.
• Make a extension: those can bypass webpages' content security polices.

[guest271314]

I used DevTools Local Overrides https://developers.google.com/web/updates/2018/01/devtools#overrides to workaround this issue for AudioContext.audioWorklet.addModule(url) https://github.com/WebAudio/web-audio-api-v2/issues/109.