Bookmarklets are now working on Github.com

[ArthurHoaro]

I just noticed that bookmarklets seem to be working again on Github.com, while it was blocked before due to Content Security Policy (CSP) - see #196. It seems to work with both Firefox and Chrome. Can someone else confirm that?

I don't remember which website blocked it as well, so I'm not sure if Github changed something, or if it's due to CSP implementation in browsers.

In any case the documentation should be updated if it's really working: https://shaarli.readthedocs.io/en/master/Troubleshooting/#the-bookmarklet-doesnt-work

[nodiscc]

Can confirm the bookmarklet is working again for me on this very page. Strange.

The CSP header is

content-security-policy | default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com  collector.githubapp.com api.github.com github-cloud.s3.amazonaws.com  github-production-repository-file-5c1aeb.s3.amazonaws.com  github-production-upload-manifest-file-7fdce7.s3.amazonaws.com  github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events wss://alive.github.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com online…com;  frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src  'self' data: github.githubassets.com identicons.github.com  collector.githubapp.com github-cloud.s3.amazonaws.com secured-user-images.githubusercontent.com/ *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/socket-worker-3f088aa2.js gist.github.com/socket-worker-3f088aa2.js

If I remember correctly the bookmarklet used to require script-src 'unsafe-inline' to work, but the only script-src allowed here is github.githubassets.com... 🤔

Firefox ESR 78.9.0esr-1~deb10u1