Does this bug also apply to Javascript executed by bookmarklets? Or are those a different category (and should they have a separate bug?)?

(In reply to swleefers from comment #2)

Does this bug also apply to Javascript executed by bookmarklets? Or are those a different category (and should they have a separate bug?)?

Those are a different category, but I'm not sure there's a point of a separate bug. Bookmarklet scripts are the same as page scripts. There's no way to exempt them from policies like this.

See bug 1478037 for the bookmarklet case, at least in terms of allowing them to run even when CSP blocks scripts. Once running they would run just like any page script, so things they do would be affected by CSP.

There's also the question of possibly adding similar exemptions for inline event listener attributes and eval() calls, but those are much more difficult problems, so I'm going to handle them separately.

Is there a bug open for that?

I noticed that for a site like https://www.getmyboat.com/, which has a strictish CSP policy (i.e. no unsafe-eval or unsafe-inline), the React Devtools extension recognizes the use of React on that site on Chrome, but it fails to recognize the use of React on Firefox.

I opened an issue on the React repo regarding this, and a contributor noted that React Devtools uses devtools.inspectedWindow.eval() in a few places. Would those be blocked by Firefox currently?

To add (since I can't see how to edit my previous comment): it seems like this bug is more relevant to my issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1267027