Skip to content

Why is bookmarklet script blocked? Webpage CSP seems ok

I have a bookmarklet. When the user clicks the bookmarklet, it inserts a tiny snippet of code. This code inserts a script element, which in turn gets the actual script that does the work.

This works on most websites, but some websites block scripts via their content-security-policy. For example, they might have

content-security-policy: script-src 'self'

However, there are some websites where the script is blocked, but I can’t see what policy is blocking it. One case is, for example

In the developer tools Network tab, it says that myscript.js is


However, I do not see the csp policy of this page like I do for other websites that block the script.

What is blocking the script request?

Here is the full bookmarklet code. myscript.js is replaced with a generic library so others can test.

javascript:(function(){var s=document.createElement(‘script’);s.setAttribute(‘src’,’’+new Date().getTime());document.getElementsByTagName(‘body’)[0].appendChild(s);})();


    var s=document.createElement('script');
    s.setAttribute('src',''+new Date().getTime());

The date parameter is just to prevent the webpage using a cached version.


Answer publishes Content-Security-Policy in meta tag:

<meta http-equiv="Content-Security-Policy" content="default-src 'self' data: http: https: 'unsafe-inline' 'unsafe-eval';
  frame-src * * * * * * * * *;
  connect-src 'self' * * * * * * * *;
  font-src 'self' * * * * * * * *;
  form-action 'self' * * * * * * * *;
  img-src 'self' data: https: http:;
  script-src 'self' 'unsafe-inline' 'unsafe-eval' * * * * * * * *;
  style-src 'self' 'unsafe-inline' * * * * * * * *" />

Unfortunately if web-page has own CSP, it will block bookmarklet script.

User contributions licensed under: CC BY-SA
8 People found this is helpful