Clickjacking Message When Using Evernote Web Clipper

Post a reply

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: Clickjacking Message When Using Evernote Web Clipper

Re: Clickjacking Message When Using Evernote Web Clipper

by Thrawn » Tue Dec 20, 2016 10:55 pm

When Evernote reports a problem, what scripts appear on the NoScript menu?

Re: Clickjacking Message When Using Evernote Web Clipper

by csalsa » Tue Dec 20, 2016 6:14 am

@barbaz
Hi. I had not added to "noscript.clearClick.subexceptions", however, when I did, it still did not work.

There are two separate problems.
1) is the third party cookie that Evernote uses. It has nothing to do with NoScript but third-party cookies must be enabled in Firefox options.
2) is a problem with script blocking. I can get Evernote to work most of the time with global scripts on (and the two about:config settings are set. I have yet to test turning them off to see if they are needed). With script blocking, the Evernote Addon cannot make an internet connection and reports this on the Addon popup page.

I do not understand web pages, scripts and cookies enough to assess what is happening. I am kinda hacking changes to see the impacts.

Re: Clickjacking Message When Using Evernote Web Clipper

by barbaz » Mon Dec 19, 2016 5:27 pm

mikolajek wrote:We're not apparently allowed to browse the betas folder, but Google suggest there's an early build of NS 3 available here: [...] Anyone has tried it?
NoScript 3.x is only for mobile atm.

@csalsa Did you try adding to noscript.clearClick.subexceptions?

Re: Clickjacking Message When Using Evernote Web Clipper

by mikolajek » Mon Dec 19, 2016 8:51 am

We're not apparently allowed to browse the betas folder, but Google suggest there's an early build of NS 3 available here: https://secure.informaction.com/downloa ... -3.0a9.xpi. Anyone has tried it?

Re: Clickjacking Message When Using Evernote Web Clipper

by csalsa » Mon Dec 19, 2016 8:34 am

[Editing this post as I learn more ...]
I am also having problems with Evernote Web Clipper (V6.10.2.0), NoScript (V2.9.5.2) and Firefox (V51b8). I tried some of the workarounds in this post and then tried clipping this forum web page and got a ClearClick Warning dialog to which I raised report #674494.

In the same ClearClick Warning dialog, it has a link for the moz-extension://b51030d8-9317-403d-b027-3aaeb2b54bfe/content/global_tools/global_tools.html (different GUID to the one listed in an earlier post). I followed the instructions to add this link to the about:config key "noscript.clearClick.exceptions" but this has not worked. Without it, I get no response with I click on the Evernote toolbar button. With it, I get the Evernote dialog (incompletely rendered) and a ClearClick Warning dialog. Then even if I uncheck the "Continue to block" option in the ClearClick Warning dialog, Evernote Web Clipper will not work.

At the same time, I have unchecked "Forbid other plugins" in the NoScript Options > Embeddings tab.

As I have had this problem for a time, I had first Reset Firefox removing all Addons, clearing settings but keeping history and bookmarks. I first installed the Evernote Addon and then installed others until it stopped working. NoScript is definitely the problem.

Any other workarounds?
Will NoScript be updated to be compatible with Evernote Web Clipper?

Re: Clickjacking Message When Using Evernote Web Clipper

by mikolajek » Fri Dec 09, 2016 8:40 am

Thrawn wrote:Actually, in the previous comments, barbaz wasn't talking about a whitelist entry; he was talking about a ClearClick exception. Have you tried that?
Oh, indeed, silly me! Yes, adding this expression to the exception list seems to does the job perfectly.

Re: Clickjacking Message When Using Evernote Web Clipper

by Thrawn » Thu Dec 08, 2016 10:19 pm

mikolajek wrote:moz-extension:// is already on the whitelist, so you can't add more detailed expression into the whitelist.
Actually, in the previous comments, barbaz wasn't talking about a whitelist entry; he was talking about a ClearClick exception. Have you tried that?

Re: Clickjacking Message When Using Evernote Web Clipper

by mikolajek » Thu Dec 08, 2016 1:47 pm

Has there been any progress with this issue? Same question applies to killing LastPass credentials window...
No new dev builds have been released for a couple of days, nothing to test... ;)

Re: Clickjacking Message When Using Evernote Web Clipper

by Thrawn » Sun Dec 04, 2016 11:31 pm

That may be helpful, thankyou.

If you're comfortable using about:config, then you could add a permanent exception to noscript.allowedMimeRegExp. I'm not certain what syntax would be used for an extension, though...

Re: Clickjacking Message When Using Evernote Web Clipper

by mikolajek » Sat Dec 03, 2016 12:01 pm

moz-extension:// is already on the whitelist, so you can't add more detailed expression into the whitelist. Still, it doesn't do the job and kills Web Clipper extension.

What helped me was unticking "Other plugins" in the NoScript's list of blocked items. Can't say it's a safe solution, but does the job...

Re: Clickjacking Message When Using Evernote Web Clipper

by barbaz » Sun Nov 20, 2016 6:25 pm

You're welcome. Image

Once you are sure it works, you'll need to make that exception safer. Try changing it to this -

Code: Select all

moz-extension://5b5dcd5f-ddb5-0443-8ed1-9e309cb9f092/*
or maybe even

Code: Select all

moz-extension://5b5dcd5f-ddb5-0443-8ed1-9e309cb9f092/content/global_tools/global_tools.html
That "hash" is a GUID identifying the extension and should be included if possible. This will at least retain clickjacking protection if other extensions' pages get framed.

Re: Clickjacking Message When Using Evernote Web Clipper

by RBW08 » Sun Nov 20, 2016 6:19 pm

Yes I think that worked - at least with the one site, which always triggered the clearClick warning. I will have to test it more.

For the record: I added moz-extension://* to noscript.clearClick.subexceptions in about:config

Thanks for the help.

Re: Clickjacking Message When Using Evernote Web Clipper

by barbaz » Sun Nov 20, 2016 5:28 pm

Does it work in noscript.clearClick.subexceptions instead?
(That's not so safe. It is only a test.)

Re: Clickjacking Message When Using Evernote Web Clipper

by RBW08 » Sun Nov 20, 2016 10:11 am

I have the same problem - and I found no working way to add the reported string to about:config > noscript.clearClick.exceptions.

The string does not resemble a normal website, it looks like

Code: Select all

moz-extension://..hash../content/global_tools/global_tools.html
There is no website after the // - just a hash consisting of lower-case letters, numbers and "-".

I tried some strings, but none worked, e.g. moz-extension://*

Report-Id: 650476

Re: Clickjacking Message When Using Evernote Web Clipper

by Giorgio Maone » Thu Nov 17, 2016 10:16 am

Also, please use the "Report" button on the Clickjacking Warning dialog, and tell me the report ID you get.

Top