问题
I have a bookmarklet which uses jQuery and parses some elements on the page. To use jQuery, i am creating a script tag(with src as the jQuery URL) dynamically and appending to the head tag. This works well for many sites. But, there are few sites like Facebook, for which the bookmarklet is not able to inject the external JS file into the dom.I came to know that this behaviour is because of the response header "Content Security Policy" which prohibits the inclusion of scripts from any other unauthorized domain. This is to prohibit XSS atacks.
I have a genuine case to insert an external JS file into the DOM. Is there any workaround to by pass the Content Security Policy?
回答1:
The spec says (at least I think it still does) that CSP should not prevent bookmarklets, but no browser has implemented this. Your only option is to disable CSP in the browser or use an extension.
回答2:
Self-contained bookmarklets are another possibility. Here's jQuery 3.3.1.
回答3:
Take
javascript:(function(){
})();
And fill the empty line with the jQuery source code, for example the contents of https://code.jquery.com/jquery-3.4.1.min.js .
Afterward set it as URL of your bookmark(let).
来源:https://stackoverflow.com/questions/23109901/how-to-inject-script-into-a-page-using-bookmarklet-if-the-content-security-polic