I doubt you’ll be able to get whitelisted for CSP, security whitelists are generally highly controlled (and for good reason). Instead you should look at the process you are using and make sure you conform to browser security best practices. Most browsers will allow JS to be run at the explicit request of the user but you have to stay within their requirements. Make sure you’re bookmarklets do that or maybe look at implementing browser extensions instead.
