barbaz wrote:Yes, downgrading to NS 2.9.0.2 while on Firefox 44.0 is reasonable to do.
This really doesn't sound like that one XSS issue that plagues an oddly massive number of financial sites. That issue didn't "regress" with NS 2.9.0.3.
With NoScript
latest development build, when this issue occurs, do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)
With NoScript 2.9.0.4, this is what appears as the login page loads:
Code: Select all
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: JSESSIONID=B726EDD01511A050ECE081FE5D0C832C; domain=secure.capitalone360.com; path=/myaccount/; HttpOnly; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: DeviceDetails="{Device_Info=WEB, Site_Pref=NORMAL}"; domain=.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: isso_mig=no; domain=.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: BIGipServerpl_secure.capitalone360.com_80=1730193600.20480.0000; domain=secure.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: BIGipServerpl_WA_secure.capitalone360.com_80=2754062528.20480.0000; domain=secure.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: TLTSID=632D79A0F782B1EF5D5E87FF5FF88974; domain=.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: TLTUID=BB4DEB2E218745D1E397389D8377F18F; domain=.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=3070793738.20480.0000; domain=home.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=3070793738.20480.0000; domain=home.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=3070793738.20480.0000; domain=home.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=1107859466.20480.0000; domain=home.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=1107859466.20480.0000; domain=home.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=3070793738.20480.0000; domain=home.capitalone360.com; path=/; Secure
This is what appears when I type the first character of a username:
Code: Select all
Key event not available on some keyboard layouts: key="c" modifiers="accel,alt" browser.xul
Key event not available on some keyboard layouts: key="i" modifiers="accel,alt,shift" browser.xul
Key event not available on some keyboard layouts: key="m" modifiers="control,alt" browser.xul
This is what appears when I click on the "Continue" button:
Code: Select all
Use of getPreventDefault() is deprecated. Use defaultPrevented instead. jquery-1.8.3.min.js:2:40351
Note: Nothing more is processed when the "Continue" button is clicked and there is no further Console output when the "Continue" button is clicked repeatedly.
With NoScript 2.9.0.2 (which DOES allow me to login), this is what appears when I click on the username field (nothing is typed):
Code: Select all
Use of getPreventDefault() is deprecated. Use defaultPrevented instead. jquery-1.8.3.min.js:2:40351
Note that this above message does not appear with NoScript 2.9.0.4 until after the "Continue" button is clicked.
Then, with NoScript 2.9.0.2, this is what appears when I type the first character of a username:
Code: Select all
Key event not available on some keyboard layouts: key="c" modifiers="accel,alt" browser.xul
Key event not available on some keyboard layouts: key="i" modifiers="accel,alt,shift" browser.xul
Key event not available on some keyboard layouts: key="m" modifiers="control,alt" browser.xul
Note that with NoScript 2.9.0.4, these above messages appear only when a character is typed into the username field and appear before the above noted "getPreventDefault()" message.
Hopefully there is something here that will lead to a better solution than downgrading.
[quote="barbaz"]Yes, downgrading to NS 2.9.0.2 while on Firefox 44.0 is reasonable to do.
This really doesn't sound like that one XSS issue that plagues an oddly massive number of financial sites. That issue didn't "regress" with NS 2.9.0.3.
With NoScript [url=https://noscript.net/getit#devel]latest development build[/url], when this issue occurs, do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)[/quote]
With NoScript 2.9.0.4, this is what appears as the login page loads:
[code][NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: JSESSIONID=B726EDD01511A050ECE081FE5D0C832C; domain=secure.capitalone360.com; path=/myaccount/; HttpOnly; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: DeviceDetails="{Device_Info=WEB, Site_Pref=NORMAL}"; domain=.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: isso_mig=no; domain=.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: BIGipServerpl_secure.capitalone360.com_80=1730193600.20480.0000; domain=secure.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: BIGipServerpl_WA_secure.capitalone360.com_80=2754062528.20480.0000; domain=secure.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: TLTSID=632D79A0F782B1EF5D5E87FF5FF88974; domain=.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: TLTUID=BB4DEB2E218745D1E397389D8377F18F; domain=.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=3070793738.20480.0000; domain=home.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=3070793738.20480.0000; domain=home.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=3070793738.20480.0000; domain=home.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=1107859466.20480.0000; domain=home.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=1107859466.20480.0000; domain=home.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=3070793738.20480.0000; domain=home.capitalone360.com; path=/; Secure
[/code]
This is what appears when I type the first character of a username:
[code]Key event not available on some keyboard layouts: key="c" modifiers="accel,alt" browser.xul
Key event not available on some keyboard layouts: key="i" modifiers="accel,alt,shift" browser.xul
Key event not available on some keyboard layouts: key="m" modifiers="control,alt" browser.xul
[/code]
This is what appears when I click on the "Continue" button:
[code]Use of getPreventDefault() is deprecated. Use defaultPrevented instead. jquery-1.8.3.min.js:2:40351
[/code]
Note: Nothing more is processed when the "Continue" button is clicked and there is no further Console output when the "Continue" button is clicked repeatedly.
With NoScript 2.9.0.2 (which DOES allow me to login), this is what appears when I click on the username field (nothing is typed):
[code]Use of getPreventDefault() is deprecated. Use defaultPrevented instead. jquery-1.8.3.min.js:2:40351
[/code]
Note that this above message does not appear with NoScript 2.9.0.4 until after the "Continue" button is clicked.
Then, with NoScript 2.9.0.2, this is what appears when I type the first character of a username:
[code]Key event not available on some keyboard layouts: key="c" modifiers="accel,alt" browser.xul
Key event not available on some keyboard layouts: key="i" modifiers="accel,alt,shift" browser.xul
Key event not available on some keyboard layouts: key="m" modifiers="control,alt" browser.xul
[/code]
Note that with NoScript 2.9.0.4, these above messages appear only when a character is typed into the username field and appear before the above noted "getPreventDefault()" message.
Hopefully there is something here that will lead to a better solution than downgrading.