Chrome (likely also Firefox/Edge/Safari): no non-global way to workaround Bookmarklets failing on GitHub raw code with “Blocked script execution…”
Posted by jpluimers on 2023/10/18
Last year, I answered [Wayback/Archive] javascript – Bookmarklet to append a string to a URL – Stack Overflow (asked by [Wayback/Archive] Karlo Guidoni Martins, thanks!).
It is about not being able to run bookmarklets on pages hosted by for instance:
gist.githubusercontent.comraw.githubusercontent.com
GitHub is an exception, as RAW files from these services do work fine:
At first sight, when running a Bookmarklet on those RAW GitHub served pages, you do not see an error: it just looks like the Bookmarklet does not work at all. The last part is right, but in the Chrome console you can actually see the error.
That error lead me to my answer:
You got the errorBlocked script execution in 'https://raw.githubusercontent.com/kguidonimartins/csv_example/master/1946_proposicoes.csv' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.I bumped into this error as well (for a different GitHub URL), and had a look at the HTTP headers that are being served which match very well with the headers returned from my URL:
# curl -s -D - -o /dev/null https://raw.githubusercontent.com/kguidonimartins/csv_example/master/1946_proposicoes.csv HTTP/2 404 content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox strict-transport-security: max-age=31536000 x-content-type-options: nosniff x-frame-options: deny x-xss-protection: 1; mode=block content-type: text/plain; charset=utf-8 x-github-request-id: 7CFE:2788:FC6BD:193830:6235F1EF accept-ranges: bytes date: Sat, 19 Mar 2022 15:08:54 GMT via: 1.1 varnish x-served-by: cache-ams21046-AMS x-cache: HIT x-cache-hits: 1 x-timer: S1647702535.805381,VS0,VE0 vary: Authorization,Accept-Encoding,Origin access-control-allow-origin: * x-fastly-request-id: a7f167928977f2bff7a2d78679aa13f287777567 expires: Sat, 19 Mar 2022 15:13:54 GMT source-age: 23 content-length: 14The cause of the error you see is in the first header:content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandboxThe HTTP [Wayback/Archive]Content-Security-Policy(CSP)sandboxdirective enables a sandbox for the requested resource similar to the [Wayback/Archive]<iframe>[Wayback/Archive]sandboxattribute. It applies restrictions to a page’s actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.By not returning a value forsandbox, GitHub tells Chrome that the served page cannot run any scripts. This means that scripts by Bookmarklets are excluded.I did try finding a setting to workaround this in all the URLs mentioned at [Wayback/Archive] List of Chrome URLs and their purpose – gHacks Tech News, but could not find any.I have not tried it yet, as I don’t want a global risk in my Chrome session, but you might use the--flags --allow-scriptswhich for instance is suggested in an answer to [Wayback/Archive] javascript – is triggered for no reason in Chrome – Super User.So I have to end with that now the cause is explained, but there is no real solution.
Note: Another page which has a lot of chrome://* URLs is [Archive] hidden Chrome URLs (which cannot be saved in the WayBack machine), which I also found via [Wayback/Archive] chrome urls – Google Search.
Related searches:
- [Wayback/Archive] -iframe “Blocked script execution in” “because the document’s frame is sandboxed and the ‘allow-scripts’ permission is not set.” – Google Search
- [Wayback/Archive] Bookmarklet -iframe “Blocked script execution in” “because the document’s frame is sandboxed and the ‘allow-scripts’ permission is not set.” – Google Search
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment