Why is bookmarklet script blocked? Webpage CSP seems ok

2
votes

I have a bookmarklet. When the user clicks the bookmarklet, it inserts a tiny snippet of code. This code inserts a script element, which in turn gets the actual script that does the work.

This works on most websites, but some websites block scripts via their content-security-policy. For example, they might have

content-security-policy: script-src 'self'

However, there are some websites where the script is blocked, but I can't see what policy is blocking it. One case is bbc.co.uk, for example https://www.bbc.co.uk/food/recipes/korean-style_mapo_tofu_50944

In the developer tools Network tab, it says that myscript.js is

blocked(csp)

However, I do not see the csp policy of this page like I do for other websites that block the script.

What is blocking the script request?

Here is the full bookmarklet code. myscript.js is replaced with a generic library so others can test.

javascript:(function(){var s=document.createElement('script');s.setAttribute('src','https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js?'+new Date().getTime());document.getElementsByTagName('body')[0].appendChild(s);})();

Prettier:

javascript:(function(){
    var s=document.createElement('script');
    s.setAttribute('src','https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js?'+new Date().getTime());
    document.getElementsByTagName('body')[0].appendChild(s);
})();

The date parameter is just to prevent the webpage using a cached version.

1
javascriptcontent-security-policybookmarklet

1 Answers

1
votes

bbc.co.uk publishes Content-Security-Policy in meta tag:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: http: https: 'unsafe-inline' 'unsafe-eval';
  frame-src edigitalsurvey.com chartbeat.com static2.chartbeat.com *.bbc.co.uk *.bbci.co.uk *.bbc.com *.bbci.com *.edigitalsurvey.com edigitalsurvey.com *.optimizely.com cdn-assets-prod.s3.amazonaws.com twitter.com *.twitter.com *.twimg.com riddle.com *.riddle.com;
  connect-src 'self' edigitalsurvey.com *.bbc.co.uk *.bbci.co.uk *.bbc.com *.bbci.com *.edigitalsurvey.com edigitalsurvey.com *.optimizely.com cdn-assets-prod.s3.amazonaws.com twitter.com *.twitter.com *.twimg.com;
  font-src 'self' *.bbc.co.uk *.bbci.co.uk *.bbc.com *.bbci.com *.edigitalsurvey.com edigitalsurvey.com *.optimizely.com cdn-assets-prod.s3.amazonaws.com twitter.com *.twitter.com *.twimg.com;
  form-action 'self' *.bbc.co.uk *.bbci.co.uk *.bbc.com *.bbci.com *.edigitalsurvey.com edigitalsurvey.com *.optimizely.com cdn-assets-prod.s3.amazonaws.com twitter.com *.twitter.com *.twimg.com;
  img-src 'self' app.optimizely.com cdn.optimizely.com data: https: http:;
  script-src 'self' static.chartbeat.com static2.chartbeat.com 'unsafe-inline' 'unsafe-eval' *.bbc.co.uk *.bbci.co.uk *.bbc.com *.bbci.com *.edigitalsurvey.com edigitalsurvey.com *.optimizely.com cdn-assets-prod.s3.amazonaws.com twitter.com *.twitter.com *.twimg.com optimizely.s3.amazonaws.com;
  style-src 'self' 'unsafe-inline' *.bbc.co.uk *.bbci.co.uk *.bbc.com *.bbci.com *.edigitalsurvey.com edigitalsurvey.com *.optimizely.com cdn-assets-prod.s3.amazonaws.com twitter.com *.twitter.com *.twimg.com" />

Unfortunately if web-page has own CSP, it will block bookmarklet script.