Can I add a Content-Security-Policy via JavaScript?

Question

I am trying to make a bookmarklet that loads external JavaScript on a site that runs HTTPS (this case Facebook). The browser refuses because it violates the Content Security Policy directive. I want to work around it by having JavaScript code in my bookmarklet that adds a Content Security Policy. Is that possible and if so, what is the code for it?

Answer 1

The short answer is no.

I think you fundamentally misunderstand Content Security Policy. A major objective of adding a policy to a page is to prevent people from doing exactly what you are trying to do. If someone could simply modify the policies to be less restrictive than the whole concept would be futile.

I imagine that what you are trying to do (modify a webpage) is better done through a browser extension of some sort (Google Chrome extension, Firefox Add-on, etc). Bookmarklets run in the context of the current page^{[citation needed]} and are thus constrained by what the page will allow. Browser extensions run in their own context and are not constrained by the policies of a page^{[citation needed]}.

Answer 2

No. There is no JS API to modify the CSP of the current page.