InformAction Forums

[nayoblie]

I have been a NoScript user for a long time (maybe over two years?--since Firefox 1.5 if I remember correctly) and have had no problems with it until about two weeks ago. I use greasemonkey scripts for my gmail--google calendar seamless integration and google reader seamless integration, so that they all load on my gmail inbox page. Then, suddenly one day, my gcal frame would not load, and I got the "This content cannot be displayed in a frame To protect your security, the publisher of this content does not allow it to be displayed in a frame" page instead. I checked the source of the frame; it was NoScript, so I tried changing the settings, none of which worked. I had NoScript 1.8.x, and have since updated to 1.9.9.01, and the problems still persists. From looking around the internet and the changelog of NoScript, I can see that the tightened XSS algorithms probably are playing a role in this. The google reader frame, however, still works. The only way I got gcal to appear again was to disable the NoScript plugin altogether. I even tried using the "integrated gmail 2.1.1" plugin, which essentially does the same thing as the greasemonkey scripts, with the same result. Therefore, I would like to know if I can add this to a whitelist, or if I missed a setting that would allow the script, which I rely heavily upon, to behave normally. Btw, I'm using FF 3.5.3.

[Giorgio Maone]

Can I see this greasemonkey script?
What's the domain of the page where you're loading GCal in?

[nayoblie]

for "google calendar seamless integration", the script is here: http://userscripts.org/scripts/show/35499
for "google reader seamless integration", it's http://userscripts.org/scripts/show/35500
as an alternative, I tried Integrated Gmail 2.2.1, which is actually an updated version of the above scripts, but turned into a firefox plugin, https://addons.mozilla.org/en-US/firefox/addon/9457.

As stated above, none of these seems to work.
As to the domain, these scripts are used and active on my gmail inbox page, so I guess the domain would be mail.google.com

Thanks for the quick response

[Giorgio Maone]

The problem is not NoScript. The problem is that GCalendar does not want to be framed cross-origin:

GET /calendar/render HTTP/1.1
Host http://www.google.com

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Sat, 26 Sep 2009 07:16:29 GMT
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-FRAME-OPTIONS: SAMEORIGIN
Server: GFE/2.0
X-XSS-Protection: 0

As you can see, it sends a X-Frame-Options header set to "SAMEORIGIN", to protect itself and you from Clickjacking.
This means that no origin other than "www.google.com" can embed it in a frame, and mail.google.com doesn't qualify.
Since NoScript has other means to protect you from Clickjacking, I'll probably add some way to disable this feature (introduced by IE8 and implemented also by Chrome/Safari), but at this moment this is not possible.

[Tom T.]

Since NoScript has other means to protect you from Clickjacking, I'll probably add some way to disable this feature (introduced by IE8 and implemented also by Chrome/Safari), but at this moment this is not possible.

This *will* be a user-configured optional disable, not a default, right, Giorgio? For those of us who use neither IE 8 nor Chrome/Safari - nor Gmail, for that matter -- I'm sure we'd rather keep the tightest possible defaults. Thanks.

[Giorgio Maone]

Since NoScript has other means to protect you from Clickjacking, I'll probably add some way to disable this feature (introduced by IE8 and implemented also by Chrome/Safari), but at this moment this is not possible.

This *will* be a user-configured optional disable, not a default, right, Giorgio?

Obviously it will. I can't see any reason to further water down by default an already server-side opt-in and weak form of protection just to serve some exotic usages.

[nayoblie]

thanks for the reply, and for keeping noscript going.

[Giorgio Maone]

Please check latest development build.
You can either disable X-Frame-Options globally by toggling the noscript.frameOptions.enabled about:config preference, or better selectively by just setting noscript.frameOptions.parentWhitelist to mail.google.com.

[nayoblie]

sorry for the late reply, but thanks! It works perfectly now! I can't tell you how much I appreciate it!

[tcahill]

Please check latest development build.
You can either disable X-Frame-Options globally by toggling the noscript.frameOptions.enabled about:config preference, or better selectively by just setting noscript.frameOptions.parentWhitelist to mail.google.com.

Actually, I'm embedding the google calendar in my hoard portal as a frame using firefox 3.5.3, and Noscript 1.9.9.07, and I must toggle nostcript.frameOptions.enabled = true before the calendar will display properly. I've tried, alone or together: mail.google.com and http://www.google.com/calendar/render, as entries in noscript.frameOptions.parentWhitelist while nostcript.frameOptions.enabled = false, and "This content cannot be displayed in a frame" is the result. Suggestions?

[Giorgio Maone]

Actually, I'm embedding the google calendar in my hoard portal as a frame using firefox 3.5.3, and Noscript 1.9.9.07, and I must toggle nostcript.frameOptions.enabled = true before the calendar will display properly. I've tried, alone or together: mail.google.com and http://www.google.com/calendar/render, as entries in noscript.frameOptions.parentWhitelist while nostcript.frameOptions.enabled = false, and "This content cannot be displayed in a frame" is the result. Suggestions?

noscript, not nostcript.