Clickjacking Message When Using Evernote Web Clipper

Ask for help about NoScript, no registration needed to post
BoiledFrog

Clickjacking Message When Using Evernote Web Clipper

Post by BoiledFrog » Thu Nov 17, 2016 4:17 am

I have the Evernote Clipper extension installed and I am trying to clip http://www.cbc.ca/news/investigates/rcmp-digital-roadblocks-1.3850018. I get a clickjacking message. I tried adding an XSS exception for

Code: Select all

^https://www\.evernote\.com/clip\.action
and

Code: Select all

^https://www\.evernote\.com/clip\.action.*

Neither worked. I am running NoScript 2.9.0.14. This is the message from the console:

Code: Select all

[NoScript ClearClick] Swallowed event mousedown on H2/-1 at moz-extension://5b5dcd5f-ddb5-0443-8ed1-9e309cb9f092/content/global_tools/global_tools.html
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0

barbaz
Senior Member
Posts: 9283
Joined: Sat Aug 03, 2013 5:45 pm

Re: Clickjacking Message When Using Evernote Web Clipper

Post by barbaz » Thu Nov 17, 2016 5:06 am

First off, ClearClick is not XSS filter. ClearClick exceptions go in about:config > noscript.clearClick.exceptions

Next is, these exceptions are not necessarily regexes. They follow ABE site syntax. See ABE Rules .pdf page 5 (ignore the special all-caps tokens).

Now, I don't remember offhand which way this goes. But the first exception I'd try is just

Code: Select all

moz-extension:


Please add that on the end, separated by a single whitespace, and let us know if it works.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Giorgio Maone
Site Admin
Posts: 8743
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Clickjacking Message When Using Evernote Web Clipper

Post by Giorgio Maone » Thu Nov 17, 2016 10:16 am

Also, please use the "Report" button on the Clickjacking Warning dialog, and tell me the report ID you get.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0

RBW08
Posts: 2
Joined: Sun Nov 20, 2016 10:05 am

Re: Clickjacking Message When Using Evernote Web Clipper

Post by RBW08 » Sun Nov 20, 2016 10:11 am

I have the same problem - and I found no working way to add the reported string to about:config > noscript.clearClick.exceptions.

The string does not resemble a normal website, it looks like

Code: Select all

moz-extension://..hash../content/global_tools/global_tools.html


There is no website after the // - just a hash consisting of lower-case letters, numbers and "-".

I tried some strings, but none worked, e.g. moz-extension://*

Report-Id: 650476
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

barbaz
Senior Member
Posts: 9283
Joined: Sat Aug 03, 2013 5:45 pm

Re: Clickjacking Message When Using Evernote Web Clipper

Post by barbaz » Sun Nov 20, 2016 5:28 pm

Does it work in noscript.clearClick.subexceptions instead?
(That's not so safe. It is only a test.)
*Always* check the changelogs BEFORE updating that important software!
-

RBW08
Posts: 2
Joined: Sun Nov 20, 2016 10:05 am

Re: Clickjacking Message When Using Evernote Web Clipper

Post by RBW08 » Sun Nov 20, 2016 6:19 pm

Yes I think that worked - at least with the one site, which always triggered the clearClick warning. I will have to test it more.

For the record: I added moz-extension://* to noscript.clearClick.subexceptions in about:config

Thanks for the help.
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

barbaz
Senior Member
Posts: 9283
Joined: Sat Aug 03, 2013 5:45 pm

Re: Clickjacking Message When Using Evernote Web Clipper

Post by barbaz » Sun Nov 20, 2016 6:25 pm

You're welcome. Image

Once you are sure it works, you'll need to make that exception safer. Try changing it to this -

Code: Select all

moz-extension://5b5dcd5f-ddb5-0443-8ed1-9e309cb9f092/*

or maybe even

Code: Select all

moz-extension://5b5dcd5f-ddb5-0443-8ed1-9e309cb9f092/content/global_tools/global_tools.html


That "hash" is a GUID identifying the extension and should be included if possible. This will at least retain clickjacking protection if other extensions' pages get framed.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
mikolajek
Posts: 18
Joined: Wed Mar 19, 2014 5:46 pm
Location: Warsaw, Poland
Contact:

Re: Clickjacking Message When Using Evernote Web Clipper

Post by mikolajek » Sat Dec 03, 2016 12:01 pm

moz-extension:// is already on the whitelist, so you can't add more detailed expression into the whitelist. Still, it doesn't do the job and kills Web Clipper extension.

What helped me was unticking "Other plugins" in the NoScript's list of blocked items. Can't say it's a safe solution, but does the job...
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Clickjacking Message When Using Evernote Web Clipper

Post by Thrawn » Sun Dec 04, 2016 11:31 pm

That may be helpful, thankyou.

If you're comfortable using about:config, then you could add a permanent exception to noscript.allowedMimeRegExp. I'm not certain what syntax would be used for an extension, though...
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

User avatar
mikolajek
Posts: 18
Joined: Wed Mar 19, 2014 5:46 pm
Location: Warsaw, Poland
Contact:

Re: Clickjacking Message When Using Evernote Web Clipper

Post by mikolajek » Thu Dec 08, 2016 1:47 pm

Has there been any progress with this issue? Same question applies to killing LastPass credentials window...
No new dev builds have been released for a couple of days, nothing to test... ;)
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Clickjacking Message When Using Evernote Web Clipper

Post by Thrawn » Thu Dec 08, 2016 10:19 pm

mikolajek wrote:moz-extension:// is already on the whitelist, so you can't add more detailed expression into the whitelist.

Actually, in the previous comments, barbaz wasn't talking about a whitelist entry; he was talking about a ClearClick exception. Have you tried that?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

User avatar
mikolajek
Posts: 18
Joined: Wed Mar 19, 2014 5:46 pm
Location: Warsaw, Poland
Contact:

Re: Clickjacking Message When Using Evernote Web Clipper

Post by mikolajek » Fri Dec 09, 2016 8:40 am

Thrawn wrote:Actually, in the previous comments, barbaz wasn't talking about a whitelist entry; he was talking about a ClearClick exception. Have you tried that?

Oh, indeed, silly me! Yes, adding this expression to the exception list seems to does the job perfectly.
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

csalsa
Posts: 6
Joined: Mon Jul 12, 2010 12:20 am

Re: Clickjacking Message When Using Evernote Web Clipper

Post by csalsa » Mon Dec 19, 2016 8:34 am

[Editing this post as I learn more ...]
I am also having problems with Evernote Web Clipper (V6.10.2.0), NoScript (V2.9.5.2) and Firefox (V51b8). I tried some of the workarounds in this post and then tried clipping this forum web page and got a ClearClick Warning dialog to which I raised report #674494.

In the same ClearClick Warning dialog, it has a link for the moz-extension://b51030d8-9317-403d-b027-3aaeb2b54bfe/content/global_tools/global_tools.html (different GUID to the one listed in an earlier post). I followed the instructions to add this link to the about:config key "noscript.clearClick.exceptions" but this has not worked. Without it, I get no response with I click on the Evernote toolbar button. With it, I get the Evernote dialog (incompletely rendered) and a ClearClick Warning dialog. Then even if I uncheck the "Continue to block" option in the ClearClick Warning dialog, Evernote Web Clipper will not work.

At the same time, I have unchecked "Forbid other plugins" in the NoScript Options > Embeddings tab.

As I have had this problem for a time, I had first Reset Firefox removing all Addons, clearing settings but keeping history and bookmarks. I first installed the Evernote Addon and then installed others until it stopped working. NoScript is definitely the problem.

Any other workarounds?
Will NoScript be updated to be compatible with Evernote Web Clipper?
Last edited by csalsa on Mon Dec 19, 2016 9:02 am, edited 2 times in total.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:51.0) Gecko/20100101 Firefox/51.0

User avatar
mikolajek
Posts: 18
Joined: Wed Mar 19, 2014 5:46 pm
Location: Warsaw, Poland
Contact:

Re: Clickjacking Message When Using Evernote Web Clipper

Post by mikolajek » Mon Dec 19, 2016 8:51 am

We're not apparently allowed to browse the betas folder, but Google suggest there's an early build of NS 3 available here: https://secure.informaction.com/download/betas/noscript-3.0a9.xpi. Anyone has tried it?
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

barbaz
Senior Member
Posts: 9283
Joined: Sat Aug 03, 2013 5:45 pm

Re: Clickjacking Message When Using Evernote Web Clipper

Post by barbaz » Mon Dec 19, 2016 5:27 pm

mikolajek wrote:We're not apparently allowed to browse the betas folder, but Google suggest there's an early build of NS 3 available here: [...] Anyone has tried it?

NoScript 3.x is only for mobile atm.

@csalsa Did you try adding to noscript.clearClick.subexceptions?
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply