Does Content Security Policy block bookmarklets?

Question

Does Mozillas CSP block to execute Javascript from a bookmark by default?

Can it be configured to do so?

Answer 1

Yes, the CSP blocks bookmarklets in Mozilla Firefox. There is a bug about it.

However, you can get around this restriction by injecting the JS code into an external CSS stylesheet, like my Top News Feed bookmarklet does:

External CSS:

#topnewsfeed { font-family: '(function(){/*payload*/})()'; }

Bookmarklet JS:

(function() {
    var a = document.createElement("link");
    a.rel = "stylesheet";
    a.href = "//niutech.github.io/topnewsfeed/topnewsfeed.css";
    a.onload = function() {
        var a = b.currentStyle ? b.currentStyle.fontFamily : document.defaultView.getComputedStyle(b, null).fontFamily;
        eval(a.replace(/^["']|\\|["']$/g, ""));
    };
    document.body.appendChild(a);
    var b = document.createElement("div");
    b.id = "topnewsfeed";
    document.body.appendChild(b);
})()

The bookmarklet loads a CSS file containing JS code, adds an element styled by this CSS, reads the element style attribute and eval the code.