Bookmarklet crashes hard with strict CSPs

[riking]

(ChromeOS 72.0.3626.122)

Running the bookmarklet as-is on a site with strict CSP, such as https://mastodon.social/users/Teryl_Pacieco/statuses/101709566428499937 , generates the following error:

Refused to load the script 'https://mkremins.github.io/blackout/bundle.js?431181' because it
violates the following Content Security Policy directive: "script-src 'self' https://THE.WEBSITE".
Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Trying to fetch() the source and add that, as the script itself doesn't load any new scripts:

Refused to connect to 'https://mkremins.github.io/blackout/bundle.js' because it violates the
following Content Security Policy directive: "connect-src 'self' blob: wss://THE.WEBSITE
https://THE.WEBSITE a.THE.WEBSITE".

So this is a pretty airtight CSP, and if there was a way to get around it from JS, browsers would fix the bug as soon as they found out.

Good news: chrome-extension:// bypasses CSP.
Bad news: Firefox doesn't use stable extension IDs, so the extension itself needs to inject the script (e.g. with a click action) instead of being able to use a bookmarklet.

[mkremins]

Thanks for letting me know! I've been leaning toward deploying future versions primarily as browser extensions (with the payload script included in the extension rather than loaded remotely from a URL I control), and this will probably push me further in that direction.

During development, I briefly investigated the possibility of just cramming all the JS directly into the bookmarklet itself, instead of loading and injecting it from elsewhere. Unfortunately, it turns out that most browsers still seem to place a de facto cap on the length of URLs (bookmarklets included) at around 2000 characters, which is infeasibly small for our purposes here.