I posted yesterday on Twitter about an issue I ran into when trying to use a bookmarklet on a website—GitHub, in this case—with a Content Security Policy. Instapaper developer Brian Donohue pointed me to a post he’d written on just this issue in 2014.
The ultimate catch-22 of the new Content Security Policy wording is that it’s intended to benefit the users, by providing additional security from hypothetical malicious add-ons on websites that enforce a Content Security Policy. In the end the bookmarklet has been relegated obsolete by the change, a casualty of one clause in one section of one web specification, and end-users and developers are the ones who will mourn its demise. The path to hell is paved with good intentions.
I’ve implemented a CSP on my own site and have now switched from using Instapaper’s bookmarklet to their Safari extension.