Bookmarklet cannot inject javascript on Facebook

StackOverflow https://stackoverflow.com/questions/23479821

Question

I have created a bookmarklet. When a user clicks it, it adds to the page a script element with a src. This src, which contains the actual code, then gets loaded and executed on the page. Standard bookmarklet stuff.

However, it has now stopped working on Facebook.com. The script element does get added to the body, but the src is never loaded. I checked the network tab and it doesn't even attempt to load it.

<script src="https://mysite/bookmarklet.js?1399316963279">
    Reload the page to get source for: https://mysite/bookmarklet.js?1399316963279
</script>

(Edit: I also get that reload message when the bookmarklet worked. So that's not directly to do with it.)

This issue only occurs with Facebook. The bookmarklet works with other pages, also https pages (gmail). I've seen that other bookmarklets have this same issue on Facebook. I've tried in Firefox (and a bit in Chrome).

It used to work fine. Not sure when it stopped.

Any way around it?

EDIT: Now with the bookmarklet script.

javascript:(function(){var%20s=document.createElement('script');p='';if(location.protocol%20===%20'https:'){p='s';}%20s.setAttribute('src','http'+p+'://mysite/bookmarklet.js?'+new%20Date().getTime());document.getElementsByTagName('body')[0].appendChild(s);})();
Was it helpful?

Solution

If you have a look at the headers sent from facebook.com you will see the following:

content-security-policy: default-src *;script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net *.atlassolutions.com chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl;style-src * 'unsafe-inline';connect-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net ws://*.facebook.com:* http://*.akamaihd.net https://fb.scanandcleanlocal.com:* *.atlassolutions.com http://attachment.fbsbx.com https://attachment.fbsbx.com;

They are whitelisting the domains that scripts can be loaded from which is why yours is being blocked.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top