Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP is breaking bookmarklet #1

Closed
joshuatz opened this issue Jul 22, 2019 · 0 comments · Fixed by #2
Closed

CSP is breaking bookmarklet #1

joshuatz opened this issue Jul 22, 2019 · 0 comments · Fixed by #2
Assignees
@joshuatz

Comments

@joshuatz
Copy link
Owner

Looks like LinkedIn just implemented CSP (was not there before):

VM10064:1 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'report-sample' 'sha256-6gLjSWp3GRKZCUFvRX5aGHtECD1wVRgJOJp7r0ZQjV0=' 'unsafe-inline' static.licdn.com s.c.lnkd.licdn.com static-fstl.licdn.com static-src.linkedin.com https://www.linkedin.com/voyager/service-worker-push.js https://platform.linkedin.com/js/analytics.js static-exp1.licdn.com static-exp2.licdn.com s.c.exp1.licdn.com s.c.exp2.licdn.com static-lcdn.licdn.com s.c.lcdn.licdn.com https://www.linkedin.com/sc/ https://www.linkedin.com/scds/ https://qprod.www.linkedin.com/sc/ https://www.linkedin.com/sw.js https://www.linkedin.com/voyager/abp-detection.js https://platform.linkedin.com/litms/utag/ https://platform.linkedin.com/litms/vendor/".

Even though the bookmarklet does not use "eval" or is an inline-script, it looks like browsers treat it as such. See this SO question and this issue for details.

This CSP also blocks all injected CSS, which I was using to style the popup modal.

Short term fix:

Copy and paste main.js into the console, and hit enter to run. The "success modal" won't display, due to the inline CSS getting blocked by CSP, but you should be able to manually copy and paste the JSON export after plugging this into the console:

JSON.stringify(linkedinToResumeJsonConverter.getJSON(),null,4)

Options for moving forward

Unfortunately, this is not something I can work around, as far a bookmarklet goes. This CSP will block any bookmarklet, period. And you can't simply inject a new meta tag, since the header will override the meta tag if it is more restrictive (details).

The only way forward that I see is to migrate this to an entirely different form, such as a chrome extension. I avoided doing this previously, when I first started building this, since I don't like the level of permissions that extensions require and the associated privacy issues. Technically speaking though, it might not take that much work to wrap the code I have already written into a Chrome Extension. Or maybe as a command line utility or something like that.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joshuatz joshuatz

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bookmarklet to Browser Extension Conversion joshuatz/linkedin-to-jsonresume
1 participant
@joshuatz