422 response when using bookmarklet

[wfsmith]

We're using this for our newsroom. A few reporters flagged that the bookmarklet is not working.

Reproduce:

Go to a website. Click bookmarklet. It creates a sidebar with a input form control for email and a buton that says "Login". Click an element of the page you want to monitor. Enter email address and click "Login".

The response I get is 422.

Look at logs in Heroku, I see:

2025-11-12T22:13:35.538164+00:00 app[web.1]: W, [2025-11-12T22:13:35.538141 #2]  WARN -- : Can't verify CSRF token authenticity.
2025-11-12T22:13:35.538353+00:00 app[web.1]: I, [2025-11-12T22:13:35.538334 #2]  INFO -- : Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms | Allocations: 220)
2025-11-12T22:13:35.538998+00:00 app[web.1]: F, [2025-11-12T22:13:35.538960 #2] FATAL -- :

2025-11-12T22:13:35.538998+00:00 app[web.1]: ActionController::InvalidAuthenticityToken (Can't verify CSRF token authenticity.):

From this information, I thought I could relax the cookie settings a bit to fix the login problem. So I forked the repo, created a file called config/initializers/session_store.rb and added the following:

Rails.application.config.session_store :cookie_store,
  key: '_klaxon_session',
  same_site: :none,
  secure: Rails.env.production?  # ensures cookie sent only over HTTPS in production

I redeployed and the 422 error goes away but the app doesn't create the new watch item. It just continually asks you to log in, says "email sent", and then when you click the link within the email, you are logged in but there is no new watch item for the element you selected previously.

[GabeIsman]

@wfsmith thanks for the issue. I was able to reproduce the problem in Firefox across a couple of different websites. It went away when I turned off "enhanced tracking protection." Any kind of ad-blocker or tracking limitation mechanism might similarly break the iframe.

The problem is really with the fundamental model of the bookmarklet. As browsers get more serious about limiting third-party cookies and more sites set restrictive Content Security Policies, the whole setup starts to break down. These changes are good for the web of course, but do make it hard to use Klaxon as originally intended.

We are no longer investing in Klaxon, so you're not going to see a major overhaul of how this feature works to bring it up to date. I think likely preserving this user experience would require a browser plugin, though I haven't done much research into the possibilities.

You should consider whether the newish DocumentCloud features might meet your needs. You can of course still "Manually watch an item" from the Watching page in Klaxon. It's not so user-friendly, but at least it still works!

[wfsmith]

Thanks @GabeIsman. Unfortuntely the problem persists for me on Firefox with enhanced tracking protection disabled. I rolled back my fix just to be sure.

Thank you for the work you did on this. I understand its basically sunset at this point. I suppose the documentcloud option is our only recourse at this point.

Cheers

[GabeIsman]

@wfsmith Yea it may be that there's also a content security policy on the particular site you're trying to watch that's blocking you. Sorry for the headache!