O Github estava usando um cabeçalho da Política de segurança de conteúdo desde 2013 que bloqueia os bookmarklets via a opção unsafe-inline
:
CONTENT-SECURITY-POLICY: default-src *; script-src 'self' assets-cdn.github.com jobs.github.com ssl.google-analytics.com secure.gaug.es; style-src 'self' assets-cdn.github.com 'unsafe-inline'; object-src 'self' assets-cdn.github.com;
Isso foi corrigido em 2017 com uma política mais explícita:
CONTENT-SECURITY-POLICY: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status.github.com api.github.com www.google-analytics.com wss://live.github.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *.gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com
Referências