WebExtension allow to execute bookmarklets as privileged scripts
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.


Firefox capture of Bookmarklets context menu: Context menu opened with a folder and a bookmarklet "Copy page as Markdown link"

This extension is available for Firefox (via AMO)

Why use Bookmarklets context menu

Current browsers' implementations of bookmarklets are broken: bookmarklet are executed as author's script, but should be executed as user's scripts (with higher pivileges).

To circumvent this restrictions, the extension Bookmarklets context menu create a context menu with all bookmarklets available from user's bookmarks and executed it on demand as content script. This allow access to a secured isolated environement, with higher privileges than author's scripts.

Note: Prior Firefox 58 (Intent to implement, 1406278), CSP still applied to subresources (like scripts, styles, medias, etc.). That means with a super strict CSP "none", you can't use any additional scripts, styles nor medias.

If you need to load a resource, create an iframe with an "unique origin" (allow-same-origin disabled) or with a data URI (Firefox 57+, see 1324406 - Treat 'data:' documents as unique, opaque origins):

// On a page with a strict CSP like `default-src 'self'`	
let iframe = document.createElement("iframe");
iframe.srcdoc = `<html><head><script src="https://code.jquery.com/jquery-latest.min.js"></script></head><body><script>$(document.body).text("Hello from jQuery")</script><img src="https://fr.wikipedia.org/static/images/project-logos/enwiki.png" alt="Wikipedia logo"></body></html></iframe>`;
iframe.sandbox = "allow-scripts";

If the page block the context menu, you can use the browser action of context menu:

Firefox capture of Bookmarklets context menu: Browser action highlighted

Why current browsers' implementations of bookmarklets are broken?

consider users over authors over implementors over specifiers over theoretical purity.

HTML Design Principles

With current implementation, bookmarklet usage is restricted because bookmarklets are not executed as privileged scripts, but as author's script. That means bookmarklet are subject to security measures like CSP and CORS which make it difficulte to use or impossible in some cases.

See also Wiki pages

Limitations of this extension

This doesn't fix broken implementations. It's just an alternative.

Permissions required by the extension

The following permissions are used by the extension:

  • bookmarks: read the bookmark tree to get all bookmarklets
  • contextMenus: create context menus based on bookmarklets founded in bookmarks
  • activeTab: execute bookmarklet script in the active tab
  • clipboardWrite and clipboardRead: allow to use document.execCommand('cut'/'copy'/'paste') in bookmarklets
  • storage: store some preferences like "flat context menu"
  • <all_urls>: allow bookmarklets to perform fetch() or XMLHttpRequest without crossdomain limitations

How to write a bookmarklet

It's not recommended to use external resources. But if you need external resources instead of load if with link, script or media tags (which are affected by CSP and CORS), use fetch() or XMLHttpRequest, and inject it with blob URI, data URI or inline (style and script tags). Always load it with HTTPS.

If the result of the bookmarklet is other than undefined (void 0), it will be used as HTML source of a new document opened in the same tab: javascript:"<span style='text-decoration:underline'>Underlined text</span>"

An example of a bookmarklet that copy the document's title (document.title):


An example of a bookmarklet that copy the page as Markdown link:


If you get the following error Bookmarklet error: SecurityError: The operation is insecure., that means you use document.write(potentiallyUnsafeHTML), when you should use wrappedJSObject.document.write(potentiallyUnsafeHTML) instead. It's related to content script (privilegied) context vs page context.

Note: It's impossible for the extension to catch asynchronous errors (in listener, setTimeout, etc.) even with a global error handler. You must use a try...catch block in your asynchronous functions. Alternatively you can use the add-ons debug mode about:debugging

If you need document.execCommand(), be sure there is no element in / iframe focused:

// execCommand will not been executed if a frame or an iframe is focused
	let focusable = document.createElement("span");
	focusable.tabIndex = -1;// focusable
	focusable.setAttribute("aria-hidden", "true");// will not be announced by AT
	focusable.style.position = "fixed";
	document.documentElement.appendChild(focusable);// don't use doc.body because in case of frame the body is the frameset and execCommand will not work
	focusable.focus();// force focus, but will not scroll into view, because it have fixed position
	focusable.remove();// remove focus, without force to scroll into view to an other element
let listener = event => {
	document.removeEventListener("copy", listener);// one time listener
	// Do whaterver you want. Exemple: in copy event, use event.clipboardData
document.addEventListener("copy", listener);
document.execCommand("copy");// will dispatch copy event

See also: