Upgrade StorageNoScript and Zotero NOT working together
I'm running NoScript 2.0.3.3 and Zotero 2.0.9. And I get this message for records with notes:
"The NoScript extension is preventing Zotero from displaying notes. To use NoScript and Zotero together, whitelist the 'file://' scheme in the NoScript preferences."
Nothing I do with the whitelist in NoScript seems to work (except disabling it).
"The NoScript extension is preventing Zotero from displaying notes. To use NoScript and Zotero together, whitelist the 'file://' scheme in the NoScript preferences."
Nothing I do with the whitelist in NoScript seems to work (except disabling it).
1> go to the NoScript Preferences whitelist
2> import the whitelist as a text file
3> Manually open the text file and add "file://". (I actually took care to put it in it's alphabetical order {likely unnecessary})
4> From the Preferences whitelist tab select all sites and "Remove Selected Sites".
5> import the modified text file in the NoScript Preferences whitelist tab.
6> A restart of Firefox didn't seem necessary for this fix. But if steps 1-5 don't work, then try a restart as well.
voilà!
I first tried steps 1-5, and it didn't work. then restarted, but it still didn't work. After this, what I did was closed the zotero window, went to noscript preferences, removed only the file:// entry from the whitelist, pressed Ok, went back to the preferences and whitelist tab and put the file:// entry back there, pressed Ok and restarted firefox.
Not sure whether it's a problem with noscript or with zotero, actually. I think I had the zotero window open, when I did d0gg0nit's steps 1-5. Might have affected the process?
Edit: forgot to mention that I'm using the same versions of both add-ons as do0gg0nit (NS 2.3.3, Z 2.0.9).
What's different for me is that none of the workarounds seem to work for me. I've tried to add file:// as well as file: and even both at the same time to my NoScript whitelist. I did that via the NoScript preferences dialog as well as using d0gg0nit's trick and I've restarted Iceweasel over and over again, but it didn't work out. The procedure described by ktkallio didn't help either.
What puzzles me, is that I can't see any errors or warnings in neither Zotero's debug output nor in the Firefox Error Console. Shouldn't there be any hint of what's going on behind the scenes?
The only thing that has helped so far is disabling NoScript as long as I want to edit or read notes in Zotero. But obviously this is not very convenient...
If you need any further details, I'd be glad to supply them...
Note that this is in 3.6.10. It's possible that NoScript has problems with earlier versions of Firefox.
Quoting:
"OK, upgraded to 2.0.9 (2.0.8 was the latest version served by AMO, and it worked with no special permissions).
I immediately found that I couldn't edit any note without allowing file://, as correctly stated by the message given in place of the note.
Either adding "file:" or "file://" did work, but only ON NEW WINDOWS, i.e. I had either to spawn a new window from the File menu or restart the browser in order to have the notes editable in the Zotero panel after changing the permissions (probably because the file:// scripts are loaded at window startup time).
If this doesn't work for you, please try NoScript Options|Reset, then adding back file:// to your whitelist (which got reset)."
So, I had to perform the NoScript Options Reset, the button for which sits at the bottom of the window. I also had to restart my browser a couple of times. Be sure to export your NoScript whitelist first, because it will be deleted permanently. Everything seems to work fine now.
Has anyone any ideas how to debug this or generate useful debug output to see what is going on?
I'll try to ask the guys over at NoScript whether they know how to enable debug output or something like that for NoScript, so I can see what exactly is being blocked. I'll report any interesting findings here.
I asked in the NoScript Forums (http://forums.informaction.com/viewtopic.php?f=7&t=5261) and there is indeed a very verbose debug mode implemented in NoScript:
Quoting Giorgio Maone:
about:config, set noscript.consoleDump to 1 and noscript.consoleLog to true.
Warning: this can be very noisy and impact browsing performance.
I tried that, but it didn't yield anything useful. I see that Zotero tries to load something from a JAR file and succeeds. With NoScript disabled there are tons of entries about Zotero loading various files. But when NoScript is enabled, there are only one or two messages, but no errors or reports about any file being blocked by NoScript.
I have no idea what else to try, so I'm giving up.
Anybody have any ideas on what might be causing this?
Did that. Ran it with noscript disabled and then enabled. Am wondering if Microsoft.net extension is screwing things up. Am trying to remove now.
I have the same problem, running zotero 2.09, noscript 2.0.5.1, firefox (iceweasel) 3.0.6 (linux debian lenny)
The "file:" entry also was in the list of untrusted addresses.
This list cannot be directly reached via the NoScript settings but only via "about:config".
So either delete the entry manually via "about:config" (noscript.untrusted) or, what I did because it's easier, open a local file that Firefox can show via the Firefox menu: File>open.
Now opening the NoScript menu, the "file:" entry was shown in the sub-menu for untrusted addresses. "Allow 'file:'" and restarting Firefox solved the problem.
The entry was both added to the whitelist and removed from the untrusted list.
I was confused because the problem now occurred a second time after I had set "file:" to the whitelist some time before. The first time the problem had been solved immediately with the entry in the whitelist.
The entry to the list of untrusted addresses must have come after this first time. I don't know how, whether it was by a NoScript update or by my mistake. Anyway, now it works again and I found a solution. I hope this also works for others.
I went to NoScrip Options, choose the tab Advanced, choose the Trusted tab, choose the Export option, opened the file in Notepad.
I cannot find any section [UNTRUSTED]
Exporting the file under the Untrusted tab provides exactly same text file as the Trusted export.
How should I proceed? Thanks a lot for your help.
I tried it and uninstalled Microsoft .NET Framework 2.0 Service Pack 2 and now Zotero Notes works perfectly well with NoScript.
Is there any way to narrow down which files or directories that Zotero needs to have whitelisted by NoScript in order to function?
If you try it yourself, you'll get something like this in the Error Console:
If there are no feasible attack vectors via file:// URIs, why would NoScript filter them by default? Put another way: is it the Zotero project's opinion that NoScript's default scanning of file:// URIs is superfluous?
I don't know why NoScript blocks file:// by default, but NoScript does exist for more than just security. (As noted on that page, Mozilla's handling of file URIs also changed in 3.0, so NoScript's blocking may predate that.) In any case, we're really just telling people how to make Zotero work with NoScript for people who choose to use both. Whether you're comfortable doing that is up to you.
Zotero only needs access to its extension directory in the Firefox profile, but I don't think NoScript even allows you to whitelist a subpath of a file:// URI. If you enter a full URI it truncates it to just file://.
We might be able to load TinyMCE from a resource: URI, which NoScript doesn't block by default, but we'd have to look into whether that's possible.
* Maybe there's some convoluted potential attack by which you get someone to browse to a website, force the download of an HTML file containing JS, send them an email with a file URI for them to paste in, from that page load a specific file with a known filename from their downloads directory (since you can't list the directory), craft an image URL containing the contents, and add an img tag to the DOM with that URL as the src. Even if all that actually works, I think there are easier and more fruitful attack vectors.