site bancsabadell.com hangs with NoScript

Post a reply

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: site bancsabadell.com hangs with NoScript

Re: site bancsabadell.com hangs with NoScript

by barbaz » Wed Jul 06, 2016 11:12 pm

No. That's opening up the bank site to XSS from any site.

Please re-formulate that as an XSS exception for request of origin (@ exception) per the sticky and post back, thanks.

Re: site bancsabadell.com hangs with NoScript

by Costa Brava » Wed Jul 06, 2016 5:17 pm

By adding the pattern
[dangerous suggestion deleted by moderator]

to the exceptions list on the XSS tab you won't have to compromise your global XSS settings.

Re: site bancsabadell.com hangs with NoScript

by barbaz » Wed Feb 24, 2016 5:33 pm

@libove: Please change the format of quotes if you choose to disable BBCode in your posts - e.g. do what therube does and quote email style, put a > and a space before the quote.
libove wrote:You pegged it. The NoScript option "Sanitize cross-site suspicious requests" being enabled is what triggers the Firefox hang on displaying the bancsabadell.com site (with datalog.bancsabadell.com allowed in NoScript).

So, what does this mean/ what can I now provide in more detail to Banc Sabadell to help them fix their brokenness?
Not sure. My best educated guess would be that they are using the highly unsafe practice of writing data to window.name to pass data across domains (any site can read it) and the XSS filter is at the very least scrutinizing it. But again, that's just a guess. I don't know. :|
(I also don't know if the XSS filter logs anything to the Browser Console (Ctrl-Shift-J) even if disabled?)

Re: site bancsabadell.com hangs with NoScript

by libove » Wed Feb 24, 2016 6:42 am

barbaz wrote:
libove wrote:So, maybe this is completely different than the other/XSS related issue.
OK so it's maybe not actual XSS or anything the XSS filter needs to act on, but it could still be that a lot of something is happening that the XSS filter is checking (e.g. the site writing data to window.name). If you try with XSS filter disabled (NoScript Options > Advanced > XSS, un-check both boxes) does the issue still occur? That's the way to be sure.
(This is NOT a safe thing to do, and I can understand if you don't want to try it. To mitigate risks of this test, use an isolated browser session - don't browse *any* other sites, not even in separate tabs/windows, while testing. And make sure to re-enable XSS filter when done.)
You pegged it. The NoScript option "Sanitize cross-site suspicious requests" being enabled is what triggers the Firefox hang on displaying the bancsabadell.com site (with datalog.bancsabadell.com allowed in NoScript).

So, what does this mean/ what can I now provide in more detail to Banc Sabadell to help them fix their brokenness?

many thanks for the continuing efforts!
-Jay

Re: site bancsabadell.com hangs with NoScript

by barbaz » Wed Feb 24, 2016 6:34 am

libove wrote:So, maybe this is completely different than the other/XSS related issue.
OK so it's maybe not actual XSS or anything the XSS filter needs to act on, but it could still be that a lot of something is happening that the XSS filter is checking (e.g. the site writing data to window.name). If you try with XSS filter disabled (NoScript Options > Advanced > XSS, un-check both boxes) does the issue still occur? That's the way to be sure.
(This is NOT a safe thing to do, and I can understand if you don't want to try it. To mitigate risks of this test, use an isolated browser session - don't browse *any* other sites, not even in separate tabs/windows, while testing. And make sure to re-enable XSS filter when done.)

Re: site bancsabadell.com hangs with NoScript

by libove » Wed Feb 24, 2016 6:16 am

barbaz wrote:I'm guessing you might end to see some messages from NoScript XSS in the Browser Console (Ctrl-Shift-J) when the hang occurs. Or that it doesn't happen if you disable the XSS filter.
If I'm right it's all the more reason that you're doing the right thing by contacting them how you are, because that crosses the line from a privacy issue to a security issue.
I reproduced the hang, with the Browser Console open. Nothing about NoScript XSS at all. In fact, the messages in the Console are the same with and without the hang (except of course that, with www.bancsabadell.com allowed in NoScript, bancsabadell.com and datalog.bancsabadell.com not allowed, Firefox doesn't hang and more messages appear in the Console as I navigate farther through the site).

So, maybe this is completely different than the other/XSS related issue.

Re: site bancsabadell.com hangs with NoScript

by barbaz » Tue Feb 23, 2016 1:13 am

I'm guessing you might end to see some messages from NoScript XSS in the Browser Console (Ctrl-Shift-J) when the hang occurs. Or that it doesn't happen if you disable the XSS filter.
If I'm right it's all the more reason that you're doing the right thing by contacting them how you are, because that crosses the line from a privacy issue to a security issue.

Re: site bancsabadell.com hangs with NoScript

by libove » Mon Feb 22, 2016 11:30 pm

barbaz wrote:@libove: I think yours is the same issue as in https://forums.informaction.com/viewtopic.php?f=7&t=21178
I read this other thread. On the face it sounds like it would be similar, however I cannot reproduce the problem by visiting the Lloyd's bank site per the discussion.
So, while conceptually it may be similar, precisely it would seem to be different.

The initial reply from Banc Sabadell, useless as expected, was to use a different browser... I responded back with my credentials and asking them to escalate both to their I.T. management and to their Data Protection compliance people who would probably care to know that a core function (being able to login) is interfered with by the site's design when a user exercises their right to not be tracked (particularly in light of the upcoming European General Data Protection Regulation)...

Re: site bancsabadell.com hangs with NoScript

by barbaz » Mon Feb 22, 2016 5:17 pm

@libove: I think yours is the same issue as in viewtopic.php?f=7&t=21178

Re: site bancsabadell.com hangs with NoScript

by libove » Mon Feb 22, 2016 6:25 am

I tested with 2.9.0.2 - still hangs if datalog.bancsabadell.com is enabled.
So, whatever bandsabadell.com is doing wrong, it triggers something different (or isn't a NoScript problem at all, but rather a badly written script on the bank's website) which is causing it.
thanks to all. I'll pass this along to the bank. (And I won't hold my breath!)
-Jay

Re: site bancsabadell.com hangs with NoScript

by Thrawn » Mon Feb 22, 2016 4:05 am

libove wrote:I don't understand why ALLOWING a particular (host with).bancsabadell.com would cause the site to hang
Usually because the site is running a misbehaving script. For example, it might be trying to load something from a domain that is still blocked, and retrying endlessly when it fails...

Re: site bancsabadell.com hangs with NoScript

by billdfixer » Sun Feb 21, 2016 3:20 pm

barbaz wrote:@billdfixer: Until the OP confirms that this issue is the same as what you experience, can you please keep discussion of your issue in viewtopic.php?f=7&t=21630 only? It's really hard to keep track of a single discussion in multiple places.
Thanks.
My post at the quoted link was to report my problem issue, not knowing where else to report it. My posts in this thread were intended to confirm the issue and help someone else resolve their issue until the underlying problem could be determined and fixed. I can certainly understand the confusion, now, and will post no more. Thank you for pointing this out.

Re: site bancsabadell.com hangs with NoScript

by billdfixer » Sun Feb 21, 2016 3:12 pm

libove wrote:I'm happy to try 2.9.0.2 to see if the problem with the Banc Sabadell site does not exist in that version.
How do I install a specific NoScript version, e.g. 2.9.0.2? (Sorry to have to ask).
thanks,
See my earlier post in this thread from Fri Feb 19, 2016 6:34 pm with the link to previous versions of NoScript. Scroll down that page to find the desired version then hover your mouse pointer over it then click on the "Install" button.

Re: site bancsabadell.com hangs with NoScript

by therube » Sun Feb 21, 2016 12:12 pm

Going to say from here, https://addons.mozilla.org/en-US/seamon ... /versions/ (only because they should be signed, & not sure of otherwise?).

Re: site bancsabadell.com hangs with NoScript

by libove » Sun Feb 21, 2016 9:17 am

I'm happy to try 2.9.0.2 to see if the problem with the Banc Sabadell site does not exist in that version.
How do I install a specific NoScript version, e.g. 2.9.0.2? (Sorry to have to ask).
thanks,

Top