How to inject script into a page using bookmarklet if the Content Security Policy is enabled on the server?

Question

I have a bookmarklet which uses jQuery and parses some elements on the page. To use jQuery, i am creating a script tag(with src as the jQuery URL) dynamically and appending to the head tag. This works well for many sites. But, there are few sites like Facebook, for which the bookmarklet is not able to inject the external JS file into the dom.I came to know that this behaviour is because of the response header "Content Security Policy" which prohibits the inclusion of scripts from any other unauthorized domain. This is to prohibit XSS atacks.

I have a genuine case to insert an external JS file into the DOM. Is there any workaround to by pass the Content Security Policy?

Answer 1

The spec says (at least I think it still does) that CSP should not prevent bookmarklets, but no browser has implemented this. Your only option is to disable CSP in the browser or use an extension.

Answer 2

Self-contained bookmarklets are another possibility. Here's jQuery 3.3.1.

Answer 3

Take

javascript:(function(){

})();

And fill the empty line with the jQuery source code, for example the contents of https://code.jquery.com/jquery-3.4.1.min.js . Afterward set it as URL of your bookmark(let).