Jump to content
  • 0

Safari Clipper and Content Security Policy (CSP) issue


jbignert

Idea

Hi all,

We are getting increasing feedback from Safari Web Clipper users of problems clipping certain sites. One reason in these cases can be caused by how Safari have chosen to enforce Content Security Policy (CSP) headers.

 

Summary of CSP:

- It's a 'setting' of sorts, that site publishers can set that limits what bookmarklets and extensions can do on their site.

- In Safari this may cause the Web Clipper to not being able to execute any code and thus not being able to start.

- More info about CSP is available here: http://www.w3.org/TR/CSP/

 

Typical signs of a CSP issue:

- When clicking the Web Clipper toolbar button absolutely nothing happens. (i.e no Web Clipper UI will load)

 

How to determine if the site is having restrictive CSP settings:

- See this Skitched tutorial for a guide.

https://www.evernote.com/l/AAwMRDf060tB94tLsqW1TK2dNxvFGBuroh4 

 

What can be done about it?

- At this point there is nothing that we can 'fix' in the Web Clipper. We are blocked by Safari from running any code.

- At the moment Chrome and other browser haven't implemented CSP the same way so clipping in those browser should work fine if the root cause is CSP.  

Link to comment

57 replies to this idea

Recommended Posts

 

We pushed an update on March 31 to fix the reported issues when the CSP notice fired off too easily. If this continues to be a problem for you please let me know by posting here on this thread. 

 

Latest version for Safari Web Clipper is 6.3.1

 

I deleted the old Clipper extension using Safari preferences and downloaded the new one, re-started Safari and now the Clipper is working as before.   Thanks for the fix.

 

It's baaack!   MInd you, double tap or sometimes triple tap on the EN icon in the Safari browser seems to make it work again as it did before.   I can live with this but it is certainly not elegant.    

 

I'm also bothered about the lack of acknowledgement of the problem by EN.   I would like to see the following questions addressed officially by EN:   Do you believe there is a problem within EN regarding web-clipping in Safari?   If yes, what do you believe are the most likely causes and are you addressing them.   If not, please explain why not. 

 

The people in this forum are all operating in good faith and want to help you improve your product where we are finding it weak/buggy.   Please respect us by addressing our concerns in a meaningful way.

Link to comment

Take a look at this screenshot, while I had the developer error console open. According to the errors, this page should not be allowed to be clipped, yet I am clipping it.  There are also some simple issues like missing files in the extension which should be easy to solve and get a release out.  I think the entire extension could be cleaned up.  Any change EN wants to release an un-obfuscated version of the extension?  Without that, the code is very hard to follow and see if others can contribute to this issue or at least track down why it is so inconsistent.

 

http://dl.dropbox.com/u/340087/drops/04.07.15/Screen%20Shot%202015-04-07%20at%204.43.37%20PM-d1-164627.png

Link to comment

Sorry for the multiple posts. I also don't agree with EN's statement that there is nothing they can do about this.  In my research, plug-ins and bookmarklets are supposed to be safe from CSP, but you will have to change your code style to make it work: e.g. no inline JS.

 

https://github.com/blog/1477-content-security-policy

 

 

 
Bookmarklets

As made clear by the CSP spec, browser bookmarklets shouldn't be affected by CSP.

Enforcing a CSP policy should not interfere with the operation of user-supplied scripts such as third-party user-agent add-ons and JavaScript bookmarklets.

http://www.w3.org/TR/CSP/#processing-model

Whenever the user agent would execute script contained in a javascript URI, instead the user agent must not execute the script. (The user agent should execute script contained in "bookmarklets" even when enforcing this restriction.)

http://www.w3.org/TR/CSP/#script-src

But, none of the browsers get this correct. All cause CSP violations and prevent the bookmarklet from functioning.

Though its highly discouraged, you can disable CSP in Firefox as a temporary workaround. Open up about:config and set security.csp.enable to false.

Extensions

As with bookmarklets, CSP isn't supposed to interfere with any extensions either. But in reality, this isn't always the case. Specifically, in Chrome and Safari, where extensions are built in JS themselves, its typical to make modifications to the current page which may trigger a CSP exception.

The Chrome LastPass extension has some issues with CSP compatibility since it attempts to inject inline <script> tags into the current document. We've contacted the LastPass developers about the issue.

 

Link to comment

We pushed an update on March 31 to fix the reported issues when the CSP notice fired off too easily. If this continues to be a problem for you please let me know by posting here on this thread. 

 

Latest version for Safari Web Clipper is 6.3.1

I deleted and then reinstalled 6.3.1.  I still have to click the web clipper button twice on some pages for the web clipper to work.  

Link to comment

This page:https://medium.com/conversations-with-tyler/peter-thiel-on-the-future-of-innovation-77628a43c0ddshould not load the clipper, if you open the developer menu and the Error Console, you will see a ton of content errors.  The strange thing is they are 100% fonts that are causing this, for some reason, the page is requesting the font from within the safari extension package.  I don't know if the site itself needs to fix this, perhaps with using the src="///path/to/font" style formatting, or if in the extension, they can simply add that in themselves.  I don't see why the fonts are being called out of the Extension.

Not 100% of the content errors are fonts. There is one for global_tools.html which is the page for the UI of the Clipper. Medium is blocking this page from loading because it violates its CSP so the Safari Clipper cannot clip Medium pages. The page is not loading fonts from the extension, the extension is loading the fonts for some UI that it needs.

 

If you want to test if a site has this protection on or not, to see if it really is CSP, open your terminal and type "curl -I https://medium.com/conversations-with-tyler/peter-thiel-on-the-future-of-innovation-77628a43c0dd"( without the quotes ), you will see a line that looks like this:

Strict-Transport-Security: max-age=15811200; includeSubDomains

 

I believe that is the CSP, if you try the same on another domain that I have had issues with that are intermittent:

curl -I http://www.nytimes.com/2015/01/14/arts/music/a-concert-hall-in-paris-aims-to-bridge-divides.html

As far as I can tell, there is no CSP, and the developers log shows only basic errors that are not show stoppers, unless the clipping plug-in tries to halt on any error whatsoever, though I'm probably yet to load a page in this heavy JS world that didn't generate at least one small error of undefined or similar here and there.

Strict-Transport-Security is not the correct header that determines if a page has a CSP. The correct header is Content-Security-Policy. The example you use has this:

Content-Security-Policy:default-src 'self'; connect-src https://localhost https://fierce-escarpment-8017.herokuapp.com https://*.instapaper.com https://getpocket.com https://medium.com:443'>https://medium.com:443 https://*.medium.com:443'>https://*.medium.com:443 https://medium.com https://*.medium.com https://*.algolia.io 'self'; font-src data: https://*.amazonaws.com https://*.gstatic.com https://dnqgz544uhbo8.cloudfront.net https://use.typekit.net 'self'; frame-src chromenull: https: webviewprogressproxy: 'self'; img-src blob: data: https: 'self'; media-src https://*.cdn.vine.co https://d1fcbxp97j4nb2.cloudfront.net https://gomiro.medium.com 'self'; object-src 'self'; script-src 'unsafe-eval' 'unsafe-inline' about: https: 'self'; style-src 'unsafe-inline' data: https: 'self'; report-uri https://csp.medium.com
There is a second way of seeing a page's CSP. The page owner can put this tag into the HTML:

<meta http-equiv="Content-Security-Policy" content="default-src https://cdn.example.net; child-src 'none'; object-src 'none'">
so if you don't see the Content-Security-Policy line in the curl result, you should check the HTML of the page for that meta tag.

 

Take a look at this screenshot, while I had the developer error console open. According to the errors, this page should not be allowed to be clipped, yet I am clipping it.  There are also some simple issues like missing files in the extension which should be easy to solve and get a release out.  I think the entire extension could be cleaned up.  Any change EN wants to release an un-obfuscated version of the extension?  Without that, the code is very hard to follow and see if others can contribute to this issue or at least track down why it is so inconsistent.

 

http://dl.dropbox.com/u/340087/drops/04.07.15/Screen%20Shot%202015-04-07%20at%204.43.37%20PM-d1-164627.png

Your screenshot does not show any CSP errors. The first red line is for a request that the page tried to make that failed because it violates the same origin policy, which is a security policy but is not the same thing as CSP. The next red line does come from the Clipper, but it is a result of a Safari bug. Safari reports that it cannot find a file, but it actually does find it. That particular file is responsible for displaying the text in the Clipper UI, so if it didn't find the file, then you would not be able to see any text in the Clipper UI. The line at the bottom says that the site is loading assets from an insecure location (i.e. not https) even though the site is secure (a https URL). Browsers consider it unsafe if a secure site has parts from an insecure site, so they try to warn the site owner about it. Since none of the warnings/errors in your screenshot indicate that the site has a restrictive CSP, the Clipper is able to handle that site.

 

Sorry for the multiple posts. I also don't agree with EN's statement that there is nothing they can do about this.  In my research, plug-ins and bookmarklets are supposed to be safe from CSP, but you will have to change your code style to make it work: e.g. no inline JS.

 

https://github.com/blog/1477-content-security-policy

 

 

 

Bookmarklets

As made clear by the CSP spec, browser bookmarklets shouldn't be affected by CSP.

Enforcing a CSP policy should not interfere with the operation of user-supplied scripts such as third-party user-agent add-ons and JavaScript bookmarklets.

http://www.w3.org/TR/CSP/#processing-model

Whenever the user agent would execute script contained in a javascript URI, instead the user agent must not execute the script. (The user agent should execute script contained in "bookmarklets" even when enforcing this restriction.)

http://www.w3.org/TR/CSP/#script-src

But, none of the browsers get this correct. All cause CSP violations and prevent the bookmarklet from functioning.

Though its highly discouraged, you can disable CSP in Firefox as a temporary workaround. Open up about:config and set security.csp.enable to false.

Extensions

As with bookmarklets, CSP isn't supposed to interfere with any extensions either. But in reality, this isn't always the case. Specifically, in Chrome and Safari, where extensions are built in JS themselves, its typical to make modifications to the current page which may trigger a CSP exception.

The Chrome LastPass extension has some issues with CSP compatibility since it attempts to inject inline <script> tags into the current document. We've contacted the LastPass developers about the issue.

You are right, the CSP spec says that extensions should not be affected by the CSP, but the different browsers don't all implement specs the same way. However, this is not a simple issue of just changing the code style. The Clipper does not use inline JS and there are plenty more ways to run into problems with a page's CSP. The problem that the Clipper has is that it tries to load all of its UI in iframes. A page can block this by specifying a CSP like

frame-src 'self';
. This CSP states that iframes can only load URLs from its own domain, which obviously excludes pages that are inside of extensions. The spec says that this rule shouldn't apply to extension pages, but Apple/Safari chose not to implement it that way. Google/Chrome on the other hand, does follow this rule, so that is why the Chrome Clipper can run on any of the pages mentioned in this thread, but the Safari Clipper cannot. Now you may ask, why doesn't Evernote change their code style to avoid using iframes? The the UI of the Clipper contains private user information, such as notebook names and tag names, that I'm sure users wouldn't want anyone outside of Evernote to know. Placing this information in an iframe is the only way to protect it from the page because of the browser's same origin policy. The same origin policy blocks the page from seeing what's inside of iframes that are loading content from a different "origin" (domain, site). For example, if you were trying to clip a recipe from a cooking site, you wouldn't want that random cooking site to know all of your notebook and tags name. Even if you completely trust the cooking site, it could get hacked by a malicious entity who does find value in your notebook and tag names. By loading the Clipper into iframes, the hacker would be unable to scrape your Evernote information. Evernote could remove all personal information from the UI, but it would not be as good or as efficient of a user experience.
Link to comment

My experience with this problem is that it's intermittent. Comes and goes.

 

But I do not view this as a Safari problem and I do not believe that workarounds are acceptable solutions even if they work. 

 

This is clearly an issue that belongs to the Evernote group. This product is billed as working with Safari (and was sold to me as such). It is not Apple's responsibility to design around Evernote; it's Evernote's responsibility to keep pace with any and all changes made to Safari that might effect the program. 

 

Maybe it's time to step up and get this fixed on your side Evernote.

Link to comment

Thank you cchan for the information, I really appreciate it.  I would like to comment on your information in addition to the above comment by Richard Harrison.

 

While on a technical level, I don't 100% agree with Richard Harrison ( RH ), he is right in that it is sporadic.  Every time someone posts here that the clipper is not working, and to be honest ,EN is a near valueless product to myself and many others without the clipper, we are told it is CSP just because there is a CSP header.  But that CSP header could be wide open.  It can't be CSP and be intermittent unless the CSP header itself it intermittent, though that should require a page reload.

 

If any large site turned on CSP site wide, the world would break until they disabled it.  Even just SSL is going to be an issue for a huge percentage of people.  Developers whitelisting their domains so only they can talk from one host to another, so only they can xss, and they get complacent, and say ***** it, I know this is xss but everyone is on CSP now.  And out pops the older browsers and you are toast.  CSP was not thought out well before implemented, and EN should have been there as a coach as should have Instapaper and pinterest and any other company that relies on their apps using extensions and bookmarklets.  Safari is extra unfortunate in that it's runtime is JS so the extension itself is going to run into issues often, but there will be workarounds.

 

I suspect this will get big.  Google for "CSP and Safari" now and this thread is up at the top, in 6 months, there will be a lot of noise when chrome and safari both dump a browser update that breaks pinterest or all the "share this" stuff out there.  Does this mean Facebook can't track you via the "like button" anymore?

 

I noticed in some of your examples that some sites are whitelisted, like Instapaper for example.  While they are well known, I would think EN is larger, but are we really going down this road of page specific whitelists for CSP to work with each and every application out there?  At the very least, the browsers need an "Exclude this application from CSP" or something like that — something more granular than just on/off.  CSP has a error logging feature, perhaps you could release a version of the Safari Ext that has it enabled and we can start working on the issues?  Or better yet, just Open Source the extensions.  Every one of them can easily be opened and read as plain code if you were to stop obfuscation unless it is just minification that is making it look so obfuscated.  I think the community of users out there would be pleased to work on this. Only accept bug fix changes if you want, so you control the UI and feature set.  There is very little stopping someone from writing their own Safari Extension for EN and even selling it.

 

CSP is still a working draft from what I understand.  Perhaps EN should get on the board of the working group and be there to make sure things don't go awry.  If I have this correct, and CSP is fully adhered to by the browser, then EN will no longer be the app it is, but will be an app that you have to apply 4 step workarounds to everything to probably get a larger than need be pdf imported.  With that in mind, what do we have, 6 months before EN is reduced to an IMAP email client without a lot of the features?

 

CSP's spec states it will not interfere with bookmarklets and extensions.  If it is, then whoever implemented it in the browsers should fix it. Chrome: can't EN join the OSS project and fix it?  Web-kit, not sure where OSS and Apple Stand.  FireFox, I don't know what to say, I want to use that browser but can't due to the terrible extension it has.  I truly wish EN would concentrate on application parity across the board.  Mobile of course being a little different, but as little as possible.  Having the windows and mac versions be different is something that I thought was rare in software desktop Mac apps.  It was always an argument point against android for me, in that the apps didn't have parity and just felt "off".

 

I can see the value in the post it notes and other things that integrate with EN, but the store thing is sort of strange.  I came here and got a different impression about EN that I should have, less than ideal as a result of "The Market".  You are a brand, yes, but not that kind of "brand".

 

I can't use the photo aspect of EN on an iPhone 4s because it crashes.  This is apparently because of not enough memory, and if I close all my apps to release that memory, it may work.  I thought open apps in the background went into nap mode on the phones, and did so aggressively?  At any rate, I just restarted my phone and as long as EN is the first app i use, I can take a pic in the app.  Regardless, so it is memory, you can't imply "oh, that is apple's fault.".  You released an app with a button, that button doesn't disappear on a 4s, it doesn't change to say 5 and greater only, it is there asking me to use it at any time I want.  However you choose to deal with it, there is a crash as a result, crashes lead to corruption, hacking, and many other issues aside from user frustration.

 

In the end, I can't say I disagree with RH much at all, EN needs to step up their game, no matter who they can point a finger at, stop, and start fixing things on your end.  And as a small closing comment, your free tier is way to shallow on storage, and your paid tiers are way to expensive.  We are entering an era where we are getting 10-25 dollared to death.  Netflix, dropbox, backup, HBO, Apple, Spotify, Evernote, BankSimple. ,etc etc.  If Amazon charges a fraction of a penny for a GB, maybe $50 could get us a year unlimited?  I say the same to dropbox as well, even more, as I know they use S3 on Amazon so we all know what they pay, even though Im sure they pay less on that volume. That's not even wholesale bandwidth fee's either.  I thought my fellow software friends that I grew up around would save us all from the $100 limited LTE ***** with get, our terrible ISP's etc, it seems more and more companies are jumping on the boat they so disposed in their youth.

Link to comment

The OneNote web clipper works just fine on pages Evernote complains about the CSP, which suggests to me that Evernote should be able to find a solution to this too...

 

I would say it is just hit or miss.  There are a ton of false positives that EN is calling CSP.  That needs to be fixed.  Just the case of being able to click 2x and get it working tells you it is an EN bug and we can't start pointing the finder at CSP until EN reliably determines a page is using CSP AND that the CSP is blocking EN in some way.  Just the presence of CSP is not enough to block, it depends on how it is set up.  If they can log a note to what the CSP rule is that was broken, then we can use command line tools and viewing the source code of the page to confirm if it was CSP or not.  In most cases, CSP will be added as an http header at the server level, though those who can't will add it via a meta tag in the HEAD of the HTML source.  When it is added to the headers, you can't see them without looking at the TCP stream data, or using something like curl -I to grab just the headers of the URL.

 

It is a shame the EN is just flat out blaming this ALL on CSP.  Without their clippers, their app becomes significantly less useful.  in my case, without the clipper in Safari, EN is a non useful product to me.  I only web clip, at least, 99% of the time.  The rest, that is stuff on my local file system and I have no need to put it in EN.  Sometimes I will use the create new note feature of the menu bar, but in most cases, it is the web clipper.

 

It would be so nice if the web clipper could be told to run the url through an RSS to full page text resource.  Then you can make a bookmark of the page, but it will import the entire page and all the text data so you can read it offline.  Right now, I use Instapaper to create a bookmark with a bookmarklet. That item gets put in a special folder in Instapaper.  The a web service called Zapier which is just like IFTTT but it actually works and runs every 4 minutes and has solid error logging.  Zapper connects to Instapaper, grabs the RSS feed to the folder where i have been bookmarking stuff, sends that URL to a full text RSS service, then sends that to Evernote and imports it with a defined set of tags in a defined notebook.

 

It is a very fast way for me to take a page on the web and make a read for later type of note out of it.  All the images will be embedded, all the text, not just a summary will be saved.  It is pretty nice.  There are a few sites where you can't get the entire full text as they don't have a proper RSS feed, such as reddit comment pages and other sort of "not really good to read offline anyway" type of sites.

 

Take a look at Zapier, it has a ton of things you can do to pass data through many services into Evernote.

Link to comment

My question is this: 
 

Will the web clipper in Safari work reliably again, as it used to, any time in the near future, or do I need to just abandon evernote for this purpose and switch to something else? 

 

I'm probably not going to totally switch browsers just to keep an extension working. This is something that evernote and safari programmers need to work out, or the software is just useless.

Link to comment

Who knows if/when the Web Clipper will work as well as it used to in Safari. I'm not ready quite yet to abandon Evernote, but paying for Evernote Premium is looking less worth it. And my admiration for Evernote as a company has taken a major ding.

Link to comment

This page:https://medium.com/conversations-with-tyler/peter-thiel-on-the-future-of-innovation-77628a43c0ddshould not load the clipper, if you open the developer menu and the Error Console, you will see a ton of content errors.  The strange thing is they are 100% fonts that are causing this, for some reason, the page is requesting the font from within the safari extension package.  I don't know if the site itself needs to fix this, perhaps with using the src="///path/to/font" style formatting, or if in the extension, they can simply add that in themselves.  I don't see why the fonts are being called out of the Extension.

 

If you want to test if a site has this protection on or not, to see if it really is CSP, open your terminal and type "curl -I https://medium.com/conversations-with-tyler/peter-thiel-on-the-future-of-innovation-77628a43c0dd"( without the quotes ), you will see a line that looks like this:

Strict-Transport-Security: max-age=15811200; includeSubDomains

 

I believe that is the CSP, if you try the same on another domain that I have had issues with that are intermittent:

curl -I http://www.nytimes.com/2015/01/14/arts/music/a-concert-hall-in-paris-aims-to-bridge-divides.html

As far as I can tell, there is no CSP, and the developers log shows only basic errors that are not show stoppers, unless the clipping plug-in tries to halt on any error whatsoever, though I'm probably yet to load a page in this heavy JS world that didn't generate at least one small error of undefined or similar here and there.

Link to comment

I am really frustrated that Apple changed their policy about the Safari web clipper so that it is now totally useless. I think we should all let them know how upset we are about this at: apple.com/feedback

Link to comment

We are aware of a problem with too many false positives on the dialog that 'warns about CSP problems' just like @GreyGray mentioned in his post earlier in this thread. There are not that many sites that have CSP settings that currently blocks us and it's a bug in the clipper that shows the 'warning' dialog much too often. 

 

IF you suspect this may be happening to you then clicking the toolbar button a second or sometimes a third time will get the clipper running. 

 

We have a fix for this that will be released in the next few days. Very sorry for the inconvenience. 

Link to comment

We are aware of a problem with too many false positives on the dialog that 'warns about CSP problems' just like @GreyGray mentioned in his post earlier in this thread. There are not that many sites that have CSP settings that currently blocks us and it's a bug in the clipper that shows the 'warning' dialog much too often. 

 

IF you suspect this may be happening to you then clicking the toolbar button a second or sometimes a third time will get the clipper running. 

 

We have a fix for this that will be released in the next few days. Very sorry for the inconvenience. 

Thanks.   I appreciate the acknowledgement of the problem and the approximate time for a fix.

Link to comment

One could start by fixing the clipper on a Wikipedia. It's a commons based site so it doesn't make sense that you cannot clip from the site. 

Funny, Wikipedia pages clipped on first attempt for me.  I just tried it.   In fact, I've noticed more pages are working on first clip-click in the last couple of weeks.  When they don't, the 2nd click almost always does it.  I still don't have confidence that all is well but lately I am never stopped from clipping anything.

Link to comment

Wikipedia clipped on the second click for me. I've also noticed that recently more pages are working on first or second clip-click.  Improved perhaps but still not reliable like it used to be.

Link to comment

Might this be part of the problem?


I've found that Web Clipper tries to connect to Yinxiang, the Chinese Evernote service, every now and again.


If it is pinging yinxiang, and receiving no response, would that cause it not to clip?


 


Below is a post I made in the Web Clipper help section regarding my concerns a few days ago.


 


 


Hello folks.


 


Sorry if I am reposting an old issue but the search facility on this forum seems to be down.


 


I am using Evernote WebClipper on Safari and although I am based in the UK, the WebClipper app is constantly trying to connect to the Chinese site Yinxiang.


According to Little Snitch, it attempted to connect over 200000 times in the last hour.


I am aware this is an Evernote service but am a little concerned that my data is being stored on Chinese servers despite this affirmation from the Evernote blog.


 


It states that;


'This still leaves the question of government access. The laws and practices controlling data stored on servers in China are evolving rapidly and Yinxiang Biji will comply with Chinese regulations applicable to the service. This means users of Yinxiang Biji should be aware that Chinese authorities may have the right to access their data according to current regulations.


The existing Evernote service will continue to operate out of servers located in California under the protection of US privacy laws'.


Source : http://blog.evernote...hinese-service/


 


I contacted Evernote Customer support and was informed that


    'Non-chinese customers' data are stored on our servers in the US, but I can't say what level of access, if any, the Chinese government has to our servers in China. Sometimes our apps signals can get crossed and try to access the wrong            server. This is especially common if using a VPN or Proxy server.'


 


I use neither a VPN nor a Proxy server.


I uninstalled and reinstalled the WebClipper app as requested which worked fine for a while but is now back to it's old habit of sometimes trying to connect to Yinxiang.


 


Am I being a touch paranoid or is there something to be concerned about here? 


 


Regards.


 


Mik


Link to comment

The web clipper has been flaky for me in Safari ever since it got updated with all the related notes etc stuff. Sometimes it worked, sometimes it didn't and since Yosemite it has been dead. Enabling the dev menu (many thanks for this workaround!!!) worked for me. The other thing that seems to be working is an old javascript bookmarklet:

 

javascript:(function()%7BEN_CLIP_HOST='http://www.evernote.com;try%7Bvar%20x=document.createElement(SCRIPT');x.type='text/javascript';x.src=EN_CLIP_HOST+'/public/bookmarkClipper.js?'+(new%20Date().getTime()/100000);document.getElementsByTagName('head')%5B0%5D.appendChild(x);%7Dcatch(e)%7Blocation.href=EN_CLIP_HOST+'/clip.action?url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title);%7D%7D)();
Link to comment

 

The web clipper has been flaky for me in Safari ever since it got updated with all the related notes etc stuff. Sometimes it worked, sometimes it didn't and since Yosemite it has been dead. Enabling the dev menu (many thanks for this workaround!!!) worked for me. The other thing that seems to be working is an old javascript bookmarklet:

 

javascript:(function()%7BEN_CLIP_HOST='http://www.evernote.com;try%7Bvar%20x=document.createElement(SCRIPT');x.type='text/javascript';x.src=EN_CLIP_HOST+'/public/bookmarkClipper.js?'+(new%20Date().getTime()/100000);document.getElementsByTagName('head')%5B0%5D.appendChild(x);%7Dcatch(e)%7Blocation.href=EN_CLIP_HOST+'/clip.action?url='+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title);%7D%7D)();

 

 

 

 

After a long period of on-again off-again performance, Web Clipper has been working perfectly for me in Safari for quite a while now.  I've got the latest version of Evernote and the latest version of OSX and IOS.   It was really frustrating when it didn't work because I use EN a lot.  Sorry I can't think of any suggestions...

Link to comment

Hello,

I would like to thank everyone for their suggestions here. I was using Chrome + Evernote Web Clipper on Yosemite, but recently switched over to Safari. I also encountered some of the ancillary issues mentioned here about the Safari clipper not working; not loading, whether CSP was the issue, etc. 

I wanted to briefly share my experience, in case someone else benefits from it.

 

I sometimes clip emails from Gmail into Evernote. On my first attempt, I received the "spinning wheel of nothing." I reloaded the page, and tried again. Same thing. I reloaded the tab, enabled the Error Console via Safari's Developer menu, and tried again. I received a number of errors related to font files, as was mentioned in another message. Very bizarre.

I have multiple Gmail accounts, so I tried clipping an email from another account. To my surprise, the email clipped.

I went back to the first Gmail account, tried again. Spinning circle.

Instead of reloading the tab with the troublesome Gmail account, I closed its tab and opened a new tab, to load the account.

Success! Emails can now be clipped.

 

Note: In between these debugging sessions, I started / restarted Safari numerous times to reload the existing tabs. It seems to me like the Gmail tab that was giving me difficulty had some sort of information it was reloading on ever browser restart.

 

Link to comment

Problem I believe I'm having is that the Clipper locks up Safari 10.,1 running on Mid-2010 iMac with Yosemite, as well as the entire machine.  I had noticed this happening several times.  Reinstalled the system.  Installed the Clipper.  Got machine freezes.  Deleted the clipper from Safari extensions and all seems well at this point.  Instead of clipping, I just use print and direct the print job to Evernote or email the page to EN.  I have no idea if the integration with Google is causing this, but I have taken Google Drive off all my machines because of system slowing to a crawl with the Drive active.  I regularly dump all browsing history and cookies as these accumulate and slow the system.  Apple keychain keeps most of what I want as well as bookmarks.  I did have iCloud Drive installed and that also slowed everything to a crawl.  Noticed that iCloud drive was storing everything at near-root in the Library, which took a lot of processing power.  Now, the old iMac breathes free again.  I had also taken the machine all the way to Sierra but have found Yosemite is a much better performer than any later OS for this old desktop.

Link to comment

Thanks, Thaddeus. I don't sign in with Google as I don't trust it. I even changed to DuckDuckGo for a search engine. I'm running early-2010 MacBook Pro with OS X 10.9.5; Safari 9.1; and I too dump my Safari Preferences (cookies) after each session. (sometimes empty cache). I've found lately that Clipper is working better, but still hangs occasionally. I do have to sign in with each new session, but I've learned to be patient with that. I want to upgrade to Yosemite, but I'm reluctant. My machine is still very slow and I fear it getting worse—would have to upgrade Safari also.

Link to comment

I just noted you can ctrl/right-click and select "Save full page to Evernote" and that works.

 

 

 

A very simple workaround that works for me in Safari on a Macbook: at the first click on Evernote Webclipper I get the notification. At the second click I get the usual screen and can save whatever I choose.

 

Thanks Dees and raenur. 

Both of the workarounds worked for me as well! 

On my iMac. 

Link to comment

I will second that emotion, jmichael. It is frustrating to have the clipper not work and spend a lot of time searching to finally come up with a clear answer on the issue.

 

Please save everyone's time and get the news out that web clipper won't work in Safari so we can all decide our work arounds it until it does! Thanks.

Link to comment

But it can't be the CSP policy causing the web clipper refusal message  because right now every page in Safari 8.0.4 is getting the same rejection when I click the elephant head.   That includes this page, apple.com pages, etc.   That would suggest that he Safari web clipper is looking for something too common on which to base its' rejection.  

 

As others have noted the problem does not exist with Chrome but Safari is my preferred browser.

 

Thanks you vas for your right-click suggestion.  That copies the page to evernote and even subsequently the elephant head selection gets rejected.   

Link to comment

I am getting CSP messages seemingly at random.  For the same page that using the icon gives the message, the keyboard shortcut works.  For other pages it is the reverse.  Sometimes I just need to try more than once with the same method!  What the...?  My problems have just started, a few days ago, so I think they are tied to the March 20, 2015 Safari and Security updates.  I am running Yosemite (10.10.2)

Link to comment

I just noted you can ctrl/right-click and select "Save full page to Evernote" and that works.

I ran into this issue twice today. On one site, absolutely nothing happened when I clicked the Evernote web clipper button.  hitting Ctrl/Right-click and selecting "Save full page to Evernote" did not work there either. 

 

On another site, the 'error' window appeared when I clicked on the Evernote web clipper button (which sent me to this discussion thread, thankfully), and there, the "save full page to Evernote" trick did work.   

Link to comment

i've run into this frequently the last few days. anyone have a button we can install on safari that can take us to chrome and pre-populate the address there?

 

on second thought, i can't be bothered. tools that don't work as required get replaced.

 

as we speak, making google chrome my primary browser with apple safari as secondary.

Link to comment

I just had this problem for the first time on Safari.

 

Right click and Save full page to Evernote works saving the full page with actual formatting, the title of the note being the title of the page.

 

Open the page in Evernote from the Develop menu also works but saves a RTF/text version, the title of the note being the URL of the page.

 

Just choose the one you like until is solved… or forever  :)

 

ETA:

PS. forgot to say thanks for the tips! :rolleyes:

Link to comment

A very simple workaround that works for me in Safari on a Macbook: at the first click on Evernote Webclipper I get the notification. At the second click I get the usual screen and can save whatever I choose.

Link to comment

A very simple workaround that works for me in Safari on a Macbook: at the first click on Evernote Webclipper I get the notification. At the second click I get the usual screen and can save whatever I choose.

That works for me too.   A good intermediate fix until Evernote fixes this.   Thanks Dees.

Link to comment

We pushed an update on March 31 to fix the reported issues when the CSP notice fired off too easily. If this continues to be a problem for you please let me know by posting here on this thread. 

 

Latest version for Safari Web Clipper is 6.3.1

 

I deleted the old Clipper extension using Safari preferences and downloaded the new one, re-started Safari and now the Clipper is working as before.   Thanks for the fix.

Link to comment

Thanks for the discussion and workarounds everyone. I'm liking clicking the WebClipper more than once, which has also worked for me. But it's nice to have alternatives just in case. Hoping Evernote will fix this glitch soon.

Link to comment

This is really not cool.  It is happening more and more often. I just want to clip an email message.  Onenote can clip them.

I just tried clipping an email from gmail in my Safari browser and you are correct, it doesn't work.  However, 2 of the workarounds suggested here did work.  1) print ->pdf -> save to evernote, and 2) clicking the elephant icon in the browser 2 times.  The first time it says it can't copy, the 2nd time it pops up the web clipper.   Not ideal, but workable.

Link to comment

I just tried clicking clipper button twice, and at least on this particular page it worked. To me, this is an indication that it is not safari but, the evernote extension. Perhaps a safari update broke the extension. I can't correlate an update with clipper starting to issue these errors, but that would make the most sense. The majority of pages I try to clip in safari recently have stopped working.

 

Thanks to all who offered the work arounds.

Steven

Link to comment

 

A very simple workaround that works for me in Safari on a Macbook: at the first click on Evernote Webclipper I get the notification. At the second click I get the usual screen and can save whatever I choose.

That works for me too.   A good intermediate fix until Evernote fixes this.   Thanks Dees.

 

 

 

 

I just noted you can ctrl/right-click and select "Save full page to Evernote" and that works.

 

 

 

A very simple workaround that works for me in Safari on a Macbook: at the first click on Evernote Webclipper I get the notification. At the second click I get the usual screen and can save whatever I choose.

 

Thanks Dees and raenur. 

Both of the workarounds worked for me as well! 

On my iMac. 

 

Yep, the double-tap is working for me too.  Not ideal but my workflow is not adversely affected but the extra action, especially as I am using the keyboard shortcut.  I hope a proper fix is issued soon though.

Link to comment

Thanks,   Dees. This work-around is the only one that worked for me on my MacBook Pro. And thank goodness. I just upped my subscription to Premium because I knew I'd be doing a lot of genealogy research in the next month and this was really bumming me out! I've found the problem increasing daily until today it was every single time I tried to use Web Clipper. 

Link to comment

I was getting this problem on every page I tried to clip.  The workaround of clicking twice seemed to work.  However , on the advice of Evernote Support, I deleted and reinstalled the clipper extension.  That seems to have solved the problem.

Link to comment

We pushed an update on March 31 to fix the reported issues when the CSP notice fired off too easily. If this continues to be a problem for you please let me know by posting here on this thread. 

 

Latest version for Safari Web Clipper is 6.3.1

Link to comment

I am using Safari on Macbook Pro, and noticed that selecting any piece of text within the site before clicking the clipper usually works. Just have to change from saving selection to whatever you need.

Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...