Lately, some websites such as Facebook use the Content Security Policy (CSP) to restrict loading of scripts from "untrusted sources". For example, when requesting Facebook HTML content (e.g. https://www.facebook.com ), Facebook's HTTP response includes the following response header:
x-webkit-csp:default-src *;script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl 'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net;style-src * 'unsafe-inline';connect-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.spotilocal.com:* https://*.akamaihd.net ws://*.facebook.com:* http://*.akamaihd.net;
This has impact on some bookmarklets which require to load and execute Javascript libraries from untrusted sources.
For example, whenever I try to run the Show Anchors bookmarklet on a Facebook page, execution of this bookmarklet fails as it tries to load jQuery from an untrusted source. In Chrome's Developer console, it will say:
Refused to load the script 'http://ajax.googleapis.com/ajax/libs/jquery/1.3/jquery.min.js' because it violates the following Content Security Policy directive: "script-src https://*.facebook.com http://*.facebook.com https://*.fbcdn.net http://*.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* chrome-extension://lifbcibllhkdhoafpjfnlhfpfgnpldfl 'unsafe-inline' 'unsafe-eval' https://*.akamaihd.net http://*.akamaihd.net".
I've found a Chrome documentation page about this topic, but it only applies to Chrome extensions.
I'm looking for solutions that allow me to
- either for a single time deactivate CSP
- or permanently whitelist my trusted sources.