Bookmarklets not working on CSP sites

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
pmBill

Bookmarklets not working on CSP sites

Unread post by pmBill » 2017-12-07, 18:30

This is my latest comment on Bugzilla Bug 866522:

Although I couldn't verify that what Memmie Lenglet said, "> Policy enforced on a resource SHOULD NOT interfere with the operation of user-agent features like addons, extensions, or bookmarklets. These kinds of features generally advance the user’s priority over page authors, as espoused in [HTML-DESIGN].", is supposed to be the "final" decision, and what browsers are supposed to do, ideally (from "should" to "may" to "should not"), I think it will most likely be a cold day in hell before it is implemented in Firefox. (and most 'popular' browsers.

And, since I now use Pale Moon, an "older-style" Firefox branch, it will almost definitely not be implemented there.

I think CSP should be put on the back burner and not implemented until they fix this grievous error and extreme bug. THAT would get the problem solved "quickly". The "team" working on CSP should be required to do this or stop working on CSP.

So the only true chance is to make it some form of an add-on extension, but that doesn't interest me if I can't use my "Bookmarklet Toolbar" (bookmark toolbar) to choose and execute my bookmarklets. Some kind of a 'clunky' drop-down list is not an answer. And with the add-on extension situation in an "uproar", I doubt if anyone will try to solve the problem that way any time soon. (other than what Memmie Lenglet did above, which will probably not work in Pale Moon anyway)

So I just try to avoid CSP websites, and if I "have" to use them, I just don't use bookmarlets on them.
It's truly unfortunate that user power and control is being curtailed and taken away from us like this.
It's like when "website owners" freaked out about Greasemonkey, and tried to stop it from working on their websites, because they are the ones who wanted "ultimate power and control" over the people who visited their website. (that thinking finally died off)

If any decent browser implements the policy the way it probably SHOULD be implemented, I will probably switch to use them.
Until then, and for the foreseeable future, we will just have to "tough it out".

There is the possibility, like I've asked the Pale Moon designers and coders to do, to allow us to "turn off JS CSP" without turning off all of CSP, but they took a negative viewpoint on that for some reason. (they did use the "may" argument to justify their stance, which is invalid now?) Imo, until it is finally corrected, I think that would be the best action to take. But it will probably not occur, either.

https://bugzilla.mozilla.org/show_bug.cgi?id=866522#c90

User avatar
Admin
Site Admin
Site Admin
Posts: 405
Joined: 2012-05-17, 19:06

Re: Bookmarklets not working on CSP sites

Unread post by Admin » 2017-12-07, 19:40

(butting in here from a server admin perspective)
Not sure what you're wanting to discuss here. One of the major drivers behind CSP and making it an effective measure is the practice of externalizing scripts and putting them on specifically white-listed resources, so inline JS can be forbidden. This was extended later on with hashing/nonces for scripts that should still be in-line, but even that isn't failsafe.

If you want to allow inline scripts always, then you're effectively negating one of the biggest reasons for CSP to exist: the prevention of execution of injected scripting. Even with strict CSP adherence, if your CSP includes "unsafe-inline" you're opening yourself up to most reflected XSS attacks, data leaks, and similar issues with allowing unchecked and untrusted scripting running on a page.
Asking for an "unsafe-inline" override to make bookmarklets work would lower the safety of the protected websites to a level similar to not having any CSP at all, so you may as well completely switch it off in that case. That's already an option, and the user has full control in Pale Moon whether they want to have CSP enabled or not (which the spec explicitly allows us to do, so it's not a violation), so I don't see how there's any reasonable demand for any sort of investment to implement something like this when the end result is pretty much the same as what is already an available option.

If you think there's a significant security difference between "CSP without inline script restrictions" and "no CSP", then you may want to read up on the impact of the various CSP directives.
Did you know that moral outrage triggers the pleasure centers of the brain? It's unlikely you can actually get addicted to outrage, but there is plausible evidence that you can become strongly predisposed to it.
Source: https://www.bbc.co.uk/programmes/p002w557/episodes/downloads - "The cooperative species" and "Behaving better online"
Image

Locked