Online Banking and Allow Scripts Globally

[coltswalker]

I am unable to use my bank's online banking at all when the NoScripts plugin is enabled, even if I use the "Allow Scripts Globally" option. Basically, when NoScripts plugin is active, I cannot login to online banking. It is as though I am using the wrong username / password, even though I have verified correct (failed login attempt message). If I disable the NoScripts plugin (requires Firefox restart) then online banking works correctly (I am able to login).

As much as I would like to test and try to pin down exactly what in NoScripts is causing the issue, continued failed login attempts locks me out of online banking for 48 hours, and I can't have that. Also, for security I cannot divulge details about the online banking. Just know it is a common online banking provider that is used all over North America.

It sucks to have to disable the NoScripts plugin just to do online banking.

I will assist if you can address this issue / shortcoming with NoScript.

I wonder what particular element of NoScripts that remains active when "Allow Scripts Globally" is selected that prevents the successful login. I am aware that certain elements of NoScripts is always active because I researched it in this site prior to my post. I was unable to discern which element might be culprit.

[therube]

Hard to assist if you cannot even provide the bank name.

[coltswalker]

It shouldn't be difficult to assist.

NoScript is obviously inhibiting something. I said I am willing to assist. I have finished my banking for today. If developer/coder wants me to try something and report the results here I will.

[Tom T.]

It shouldn't be difficult to assist.

It's impossible if we can't reproduce the issue, or even look at the site, even without having login creds.

If developer/coder wants me to try something and report the results here I will.

How do we know what to tell you try? We don't know what the problem is.

Also, for security I cannot divulge details about the online banking. Just know it is a common online banking provider that is used all over North America.

I have accounts at several banking providers that are used all over North America. I may have an account at yours. Then I can log in and see what's happening.

I don't really see the risk in an anonymous user saying "Wells Fargo", "Bank of America", "JP Morgan Chase", "USAA", "Vanguard", "ING Direct", etc., but if you like, PM me the name of the bank. It will be kept in strictest confidence. I have been a Moderator here since this site was started almost three years ago. You have entrusted Giorgio Maone with virtually complete control of your browser via the NoScript tool. You should probably also trust his choice of Moderators, of which there are only four for all the world.

I am not asking for your login credentials, by any means.

The other thing that you could do is to attempt *one* login with NS enabled, then look in the Tools > Web Developer > Error Console. Click the red Error icon.
Copy all Error messages and paste them here. If anything is personally identifying, which it probably isn't, change the numbers or letters or whatever, so long as the Error is apparent.

Then click the blue Messages/Information icon. Look for those that start with [NOSCRIPT], [XSS], [ABE], or others that seem pertinent to NoScript.
Copy and paste them here also, please.

We would like to help you, but you can't ask a mechanic to fix your car without letting him look at it.

[guest 54]

Hi,

I do not use online banking, and this may not help at all, but thought I'd post anyway in case it does. It may be that you need to do the allow globally on the banking site First, then back out to a blank web page, remove your cookies, and go back to the bank site.

I do with this with hard to get in places.. allow first, and then the site doesn't let me in, back out totally and remove cookies and then go back in. Google maps is one that comes to mind that it occurs with.

Take care!

[Tom T.]

I do not use online banking, and this may not help at all, but thought I'd post anyway in case it does. It may be that you need to do the allow globally on the banking site First,

There is no good reason to Allow Globally *anywhere*. It's there for users who can't be bothered with script permissions, but still want NoScript's protections against clickjacking attacks, XSS, and the many other default protections that remain when Allowing Globally. Typically, a user who is happy with NS has a spouse/parent/child/significant other etc. who doesn't want to take a few minutes to learn to use this vital protection. So NS can remain enabled for them, while the careful user simply unchecks Globally Allow.

Show me a site where Globally Allow is the *only* way to make the page work.

then back out to a blank web page, remove your cookies, and go back to the bank site.

Example of a site where this is necessary and successful?

Forbidding third-party cookies is common among privacy-conscious users, and is very strongly recommended by this writer. If they never get set, there is no need to delete them. And again, what would this have to do with logging in to the bank sites that you've never used?

I do with this with hard to get in places.. allow first, and then the site doesn't let me in, back out totally and remove cookies and then go back in. Google maps is one that comes to mind that it occurs with.

Huh? I just went to maps.google.com. You can allow (or temp-allow) google.com and gstatic.com, but all you really need are maps.google.com and maps.gstatic.com (fine-tuning permissions). I then planned a trip from Los Angeles, California to New York, New York, and it worked perfectly, including zoom function, etc.

Cookies were *never* allowed. The site works fine.

[therube]

@guest 54

It certainly could be a cookie related issue, though I would think that simply deleting cookies would suffice, without going through the Allow Globally step.

Verizonwireless.com (vzw.com) is a site where I have found cookies are easily screwed up & in those cases, Allowing, dis-allowing, ... ends up only in frustration. (That parts of their website are flawed doesn't help matters.)

Show me a site where Globally Allow is the *only* way to make the page work.

Well certainly not the *only* way, but on some pages, like the recently visited http://www.washingtonpost.com/opinions/telnaes where it is such a PITA to figure out what is needed (for the video clip), Allow Globally (safety concerns aside) takes a lot of frustration out of the picture. (And it can make it easier to back into the needed combination, at times, too.)

[Guest]

I do not use online banking, and this may not help at all, but thought I'd post anyway in case it does. It may be that you need to do the allow globally on the banking site First,

There is no good reason to Allow Globally *anywhere*. It's there for users who can't be bothered with script permissions, but still want NoScript's protections against clickjacking attacks, XSS, and the many other default protections that remain when Allowing Globally. Typically, a user who is happy with NS has a spouse/parent/child/significant other etc. who doesn't want to take a few minutes to learn to use this vital protection. So NS can remain enabled for them, while the careful user simply unchecks Globally Allow.

Show me a site where Globally Allow is the *only* way to make the page work.

then back out to a blank web page, remove your cookies, and go back to the bank site.

Example of a site where this is necessary and successful?

Forbidding third-party cookies is common among privacy-conscious users, and is very strongly recommended by this writer. If they never get set, there is no need to delete them. And again, what would this have to do with logging in to the bank sites that you've never used?

I do with this with hard to get in places.. allow first, and then the site doesn't let me in, back out totally and remove cookies and then go back in. Google maps is one that comes to mind that it occurs with.

Huh? I just went to maps.google.com. You can allow (or temp-allow) google.com and gstatic.com, but all you really need are maps.google.com and maps.gstatic.com (fine-tuning permissions). I then planned a trip from Los Angeles, California to New York, New York, and it worked perfectly, including zoom function, etc.

Cookies were *never* allowed. The site works fine.

Hi Tom,

I never use globally allow, but the op did, and so I was just explaining using his criteria. I also don't allow 3rd party cookies. I was just telling the op something he might try to get in the banking site, as I have similar problems with google map and other sites..and it appears to only be the cookies which just need be removed. This may not help the op, but I thought it might possibly, or help others with similar problems and so I is why I posted.

[Guest]

@guest 54

It certainly could be a cookie related issue, though I would think that simply deleting cookies would suffice, without going through the Allow Globally step.

Verizonwireless.com (vzw.com) is a site where I have found cookies are easily screwed up & in those cases, Allowing, dis-allowing, ... ends up only in frustration. (That parts of their website are flawed doesn't help matters.)

Hi, Yes, I don't use globally allow, I wrote that only for the op, but when I go to google maps, I get there via google search, then I temp allow google.com when I'm in google maps, then I back arrow out to google search, and go back in to google maps and temp allow gstatic (cause it isn't there on reload), and then back out and remove cookies.. I believe is how i do it to get it working.. lol I'm glad you wrote you note that cookies can be a problem, as it does seem to be the only problem going in some sites at times. Thanks

[Guest]

oops.. I just found that it's not the cookies being a problem in the google maps case.. It's that gstatic doesn't show as needed until I go back out and come back in.

Just ignore my posts..

[Tom T.]

...It's that gstatic doesn't show as needed until I go back out and come back in. Just ignore my posts..

Will ignore most , but there's one good point to be made here:

In NS Options > General, check "Automatically reload affected pages when permissions change" > OK.
Now, when you visit maps.google.com (even with a fresh browser, not coming from Google.com), and temp-allow maps.google.com, the page refreshes, which calls the script from maps.gstatic.com. Allow that, and you're good to go. No "backing out" required.

If you use the map site frequently, you might like to add those two "maps dot" scripts to your Whitelist, in which case, maps should always work for you -- and without *any* cookies. Doing this is less permissive (more restrictive) than whitelisting google.com and gstatic.com, so that's how I'd go, if I used the site frequently. IMHO. YMMV.

Well certainly not the *only* way, but on some pages, like the recently visited http://www.washingtonpost.com/opinions/telnaes where it is such a PITA to figure out what is needed (for the video clip), Allow Globally (safety concerns aside) takes a lot of frustration out of the picture. (And it can make it easier to back into the needed combination, at times, too.)

Perhaps "Temporarily Allow All This Page", and yes, that still might take a couple of page refreshes. But much less dangerous than inviting the entire planet to run code on your machine. As always, a trade-off between safety and convenience. I might go for TA All sometimes, but never for Allow Globally. IMHO. YMMV.

Being the tinfoil-hat type, , I'd *usually* rather go through the list from the front than the back -- enable one at a time, and see what happens. As we've both been doing this for quite a while, you know that one gets some knowledge of which ones are almost surely not necessary, and a "feel" for previously-unknown ones, too.

But if that gets *really* cumbersome, sure, TA All This Page -- but not All This Planet. Again, a last resort for Yours Truly, and again, YMMV.

[Guest]

Hi again Tom,

I do have automatically reload in place. I believe the reason I have to back out for gstatic to show is because google.com is not whitelisted until I go in google maps. Then the page refreshes and gstatic isn't there, so I back out and come back in and then gstatic is there for me to temp enable.

[GµårÐïåñ]

Just because gstatic is needed at some point it will not ALWAYS load at the same time because until there is an API call to it or a resource request from it, it is not actually a viable link yet. So by reloading, going back and coming to it and so on, you are forcing the services to reload and often call something from it, causing it to show up. Its not "technically" a bug or a problem, just a good old fashion, when does the request get made/arrives kind of situation.

Another way to think about it: Have you ever sent a LONG text, that becomes broken down into multi-part texts because it exceeds the character limit (usually 160) and although it goes out in one shot, they don't always arrive in the destination in the same order, right? So does that mean the receiving decoder messed up? Nope, just that it got one data packet/frame/fragment, whatever your choice of words, got there in different orders, that's all, based on internet and router metrics. So sometimes the call to gstatic shows up at the same time the page loads, sometimes later, sometimes not at all, sometimes even a collision could cause a drop.

[Tom T.]

Hi again Tom,

I do have automatically reload in place. I believe the reason I have to back out for gstatic to show is because google.com is not whitelisted until I go in google maps. Then the page refreshes and gstatic isn't there, so I back out and come back in and then gstatic is there for me to temp enable.

Hi again Guest,

Not sure what is meant by "back out and come back in". Leave the site? No need. I just go to maps.google, temp-allow maps.google.com, page automatically refreshes, and gstatic is indeed in the list, having been called when maps.google is allowed, starts to run, and calls to gstatic. On a reasonably fast connection, that took less that *one* second from the time maps.google.com was allowed.

Again, if you use maps frequently, you may wish to add the specific maps scripts to your permanent whitelist:
maps.google.com
maps.gstatic.com

Then the site should work as soon as you arrive. But nothing wrong with leaving them default-denied, and using temp-allow. It's what I'd do, as I use it only once in a great while. And with a one-second penalty, I can live with that.

[elevation]

One bank example not working is https://www.elevationscu.com/
Type in any username and password and you see the problem

[NoScript XSS] Sanitized suspicious upload to [https://www.elevationsbanking.com/onlin ... hRijxwo%3D] from [https://www.elevationscu.com/]: transformed into a download-only GET request.