Bookmarklet errors due to CSP

[drushbrook]

When attempting to use the bookmarklet I get a CSP error. Do you have a workaround for this that doesn't involve turning off CSP at the browser level?

Connecting to 'https://second-brain.d******1.workers.dev/capture' violates the following Content Security Policy directive: "connect-src 'self' *.google-analytics.com". The action has been blocked.

Fetch API cannot load https://second-brain.d******1.workers.dev/capture. Refused to connect because it violates the document's Content Security Policy.

[rahilp]

Hey @drushbrook! Thanks for reporting this, and great first issue to surface!

This is a known limitation of bookmarklets. They run in the context of the current page, so sites with strict CSP headers (like the one you hit) will block the outgoing fetch to your Worker. There's no way to fix this at the bookmarklet level without those sites relaxing their CSP, which isn't something we can control.

Immediate workaround: Use the iOS Shortcuts instead if you're on mobile, they capture from the share sheet and aren't subject to page CSP at all. On desktop, the workaround is unfortunately limited to sites that don't have restrictive CSP policies.

Longer term: A proper browser extension is on the roadmap (#10) — that's the right fix for this since extensions run in a privileged context outside the page's CSP. I don't have an ETA yet, but this issue is a good data point for prioritizing it.

I'm so sorry I don't have a cleaner fix right now. If you want to upvote the extension work, +1 on #10 helps.

[drushbrook]

Hey @rahilp
Thanks for the response. I'm using the IOS Shortcuts today and adjusted them to use a Dictionary rather than variables. I found that to be a cleaner method of passing the token and url.

[rahilp]

The bookmarklet runs in the context of a third-party page, so it's subject to that page's connect-src Content Security Policy directive — there's no way to override this from a bookmarklet. This is a browser-enforced constraint, not something that can be fixed on the worker side.

The long-term fix is a browser extension (#10), which runs in its own privileged origin and can make cross-origin requests regardless of the host page's CSP. Closing this in favour of #10.