Restore bookmarklet to Zotero saving #63
Comments
|
Some additional work would also be necessary to do Let's Encrypt validation on a domain that resolves to 127.0.0.1: http://security.stackexchange.com/a/121187 |
|
Are we sure this is still necessary? Seem to special-case 127.0.0.1 as a secure context. |
|
Oh, interesting — maybe not. We should test this and remove the block anywhere it actually works. |
|
I'm missing something here. I'm on Chrome, testing the bookmarklet saving to Standalone and am not seeing any issues. How do you reproduce this? |
|
Are you sure you're not seeing saving to server? As far as I know saving to the client is disabled in the bookmarklet. If I try from an unauthenticated browser I just get an iframe with a Zotero login page. |
|
So we'll need a connector server over HTTPs for Safari support, since we cannot continue with the connector and Safari does not consider 127.0.0.1 a secure context afterall.
This is not an option since we'd have to embed the private key within Zotero, which is grounds for cert revocation. This leaves us with few and kinda awful options:
|
|
We can rule out (1). We're not going to mess with the OS certificate store. I'm not understanding the mechanism on (2). (3) we should be able to do (though not for an initial release). For the cross-domain issue, it's not "most" translators, is it? I would think most translators would work fine, but some that depend on, say, DOI lookups would fail, right? But for those, the Zotero API already has (undocumented) support for adding via a URL, and I thought we were already using that in the bookmarklet at some point by passing a |
|
(2) Is just proxying bookmarklet requests to the zotero client via zotero.org.
The Amazon translator is the only one that uses this, since translators have to return "server" for the mechanism to trigger.
I guess I was a bit preemptive on this one. We currently rely on the
This would be great. |
Ah, I see what you mean. That seems complicated, and we'd need some mechanism to link a given connector to a given client, and the main difference from server-based saving would be access to a PDF, which the client could add afterwards anyway.
Oh, weird. I had no idea that was a thing. Shouldn't that also be used when |
The currently published bookmarklet just falls back to the next supported translator. We could change that. Presumably this was done back in the day to save network traffic? |
|
Hmm, that's an interesting question: when the client isn't available, is it better to use server-side translation or a lower-priority translator? I guess the latter is fine, particularly as we add the ability to enhance metadata afterward in the client. |
Often this will mean saving the page as a website, especially for more obscure journals. If we can afford to run translation on the server I think we should. |
https://forums.zotero.org/discussion/comment/215935/#Comment_215935
It's possible we could get this to work by running the connector server over HTTPS on a different port with a Let's Encrypt cert and having the bookmarklet try to connect to https://local.zotero.net, which would serve an A record for 127.0.0.1.
This is only relevant for people who 1) can run the client and 2) don't want to run a connector-enabled browser, so this is far from a priority, but it would probably be easy to do in Electron.
The text was updated successfully, but these errors were encountered: