CSP is breaking bookmarklet
joshuatz opened this issue · 0 comments
Looks like LinkedIn just implemented CSP (was not there before):
VM10064:1 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'report-sample' 'sha256-6gLjSWp3GRKZCUFvRX5aGHtECD1wVRgJOJp7r0ZQjV0=' 'unsafe-inline' static.licdn.com s.c.lnkd.licdn.com static-fstl.licdn.com static-src.linkedin.com https://www.linkedin.com/voyager/service-worker-push.js https://platform.linkedin.com/js/analytics.js static-exp1.licdn.com static-exp2.licdn.com s.c.exp1.licdn.com s.c.exp2.licdn.com static-lcdn.licdn.com s.c.lcdn.licdn.com https://www.linkedin.com/sc/ https://www.linkedin.com/scds/ https://qprod.www.linkedin.com/sc/ https://www.linkedin.com/sw.js https://www.linkedin.com/voyager/abp-detection.js https://platform.linkedin.com/litms/utag/ https://platform.linkedin.com/litms/vendor/".
Even though the bookmarklet does not use "eval" or is an inline-script, it looks like browsers treat it as such. See this SO question and this issue for details.
This CSP also blocks all injected CSS, which I was using to style the popup modal.
Short term fix:
Copy and paste main.js
into the console, and hit enter to run. The "success modal" won't display, due to the inline CSS getting blocked by CSP, but you should be able to manually copy and paste the JSON export after plugging this into the console:
JSON.stringify(linkedinToResumeJsonConverter.getJSON(),null,4)
Options for moving forward
Unfortunately, this is not something I can work around, as far a bookmarklet goes. This CSP will block any bookmarklet, period. And you can't simply inject a new meta tag, since the header will override the meta tag if it is more restrictive (details).
The only way forward that I see is to migrate this to an entirely different form, such as a chrome extension. I avoided doing this previously, when I first started building this, since I don't like the level of permissions that extensions require and the associated privacy issues. Technically speaking though, it might not take that much work to wrap the code I have already written into a Chrome Extension. Or maybe as a command line utility or something like that.