6

I'm trying to make a bookmarklet to use on youtube and other video sites in order to easily get information from the video and store it elsewhere.

From today, apparently I can't do that anymore since youtube force itself on a https connection and from what I've read on chrome's console window, the bookmarklet doesn't run on a https page. Is there a workaround?

Here is the edited code:

javascript:(function(){var jsCode=document.createElement('script');jsCode.setAttribute('src','http://[mysite]/b/enter.php?i=userid&r='+Math.random());document.body.appendChild(jsCode);}());
maugch
  • 1,276
  • 3
  • 22
  • 46
  • Do you see this behavior in browsers besides Google Chrome? Which browsers run the bookmarklet and which do not? – apsillers Jan 16 '13 at 21:03
  • Does you site support https?? – epascarello Jan 16 '13 at 21:28
  • Apparently Chrome blocks it and Firefox not. Unfortunately I don't have a fixed ip so I can't use a SSL certificate. It's just a pet project. If I had users interested maybe I could change that or find another way to easily store youtube links. – maugch Jan 17 '13 at 18:55
  • You can get a SSL certificate from StartSSL for free. – Phil Nov 06 '13 at 06:51
  • Is there any way to tell your browser that you want to (temporarily) allow mixed content? – caponica Apr 01 '14 at 08:19

4 Answers4

6

Google Chrome (and possibly other browsers?) blocks HTTP resources from being accessed from an HTTPS document. This is to prevent "mixed content" attacks, in which insecure HTTP scripts could be intercepted by an attacker in transit over the network and altered to perform any kind of malicious activity (e.g., leak cookies or sensitive page information to a third party). Such a violation would undo any protection granted by HTTPS.

Chrome used to provide a prominent warning that an insecure resource was blocked, but now it no longer does so, and all insecure loads silently fail. The only solution available to you at this time is to use HTTPS yourself when you serve the script.

apsillers
  • 112,806
  • 17
  • 235
  • 239
  • IE 10 also gives the insecure content warning and gives you the option of letting the content run, but requires a refresh after giving the option in my opinion. – LetMyPeopleCode Mar 14 '13 at 05:03
4

In Firefox, if you want to run a bookmarklet that references http on an https page, the way to get around this is to temporarily disable security.mixed_content.block_active_content. There are two ways to do this.

  1. go to about:config in a new tab, search for security.mixed_content.block_active_content and then toggle the value to false. Run your bookmarklet and then toggle it back to true (since you probably want it turned on most of the time).

  2. use an add-on / extension to toggle the block. A quick search turned up Toggle Mixed Active Content, and a quick test seemed to work well. There may be others.

Have fun and be careful. Here be dragons!

caponica
  • 3,788
  • 4
  • 32
  • 48
3

the bookmarklet doesn't run on a https page

Why not?

Try changing to a HTTPS domain yourself. Usually HTTP content is blocked when you're on a HTTPS domain.

Halcyon
  • 57,230
  • 10
  • 89
  • 128
1

I have created a work-around "fix" for this issue using a Greasemonkey userscript. You can now have bookmarklets on all CSP and https:// sites, plus have your bookmarklets in a nice, easily-editable library file instead of being individually squished into a bookmark.

Nathan Tuggy
  • 2,237
  • 27
  • 30
  • 38
Bill D
  • 31
  • 5