Are bookmarklets still a thing with CSPs?
xi opened this issue · 3 comments
Hi Kitty,
I just found out that you recommended my a11y-outline project in your A11yAdvent series. I really appreciate that!
However, you specifically referenced the bookmarklet version which I had honestly forgotten even existed. Bookmarklets were a very simple way to distribute code some years ago. However, nowadays almost all projects I am working on have a strict Content Security Policy (CSP) that blocks all inline JS-code -- and thereby also bookmarklets.
So now I am wondering -- should I spend the effort of updating the a11y-outline bookmarklet or should I instead recommend users to switch to the browser extension?
Hello Tobias!
Thank you very much for getting in touch, and thank you for the great work on a11y-outline of course! ✨ I’ve been using the bookmarklet version almost daily for years now, and have recommended it so many times to so many people. I’m going to be honest, I had no idea there was a browser extension for a11y-outline. 😅
One thing I’d mention is that back at N26 we had restricted browser extensions (they had to be approved by security), and having bookmarklets was significantly easier since they were not audited. So I would suggest this option remains, unless it’s too much of a hassle for you to maintain of course.
All that being said, I’m not opposed to updating the links to point out to the repository so people get to choose how they want to use it. :)
Edit: done. ☑️
Thanks for the quick answer! I restored the README section that links to the bookmarklet and updated the bookmarklet itself. I also added a paragraph that explains potential issues with the bookmarklet and CSPs.
I’ve been using the bookmarklet version almost daily for years now, and have recommended it so many times to so many people.
Now I feel flattered 😳
But I really wonder: On many websites (e.g. github) the CSS should fail to load. Did you never experience these issues? Or did you just not realize that this was unintended?
All that being said, I’m not opposed to updating the links to point out to the repository so people get to choose how they want to use it. :)
Yes, I think that would be the better option.
But I really wonder: On many websites (e.g. github) the CSS should fail to load. Did you never experience these issues? Or did you just not realize that this was unintended?
I’ve been mostly working on sites where I owned the whole infrastructure, including the CSP, so I never really faced that problem so much. I totally get it though, that makes a lot of sense why a browser extension is better suited for this.