Capital One 360 Login Blocked

Post a reply

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: Capital One 360 Login Blocked

Re: Capital One 360 Login Blocked

by barbaz » Mon Mar 28, 2016 11:26 am

@lakrsrool: it's not a Firefox issue at all, rather that we missed a spot in re-adjusting NoScript code for killing usage of a JS feature which caused issues like this and is anyway slated for deprecation.

Re: Capital One 360 Login Blocked

by lakrsrool » Mon Mar 28, 2016 6:53 am

FWIW, I have not had any problems logging into this same exact URL using the following:

1) Firefox 33.0.3 to 40.0.3 with NoScript 2.6.9.4 to 2.9.0.10
2) Pale Moon 25.8.1to 26.1.1 with NoScript 2.6.9.4 to 2.9.0.9

Considering that I have not upgraded past FF 40.0.3 (when I switched to PM as my default browser), perhaps the problem (requiring these adjustments) has something to do with some FF version post 40.0.3 :idea:

[RESOLVED] Capital One 360 Login Blocked

by billdfixer » Thu Feb 25, 2016 2:47 pm

barbaz wrote:Fix is to include that in NS by default. I've informed Giorgio.
:D

Re: Capital One 360 Login Blocked

by barbaz » Wed Feb 24, 2016 1:27 am

Fix is to include that in NS by default. I've informed Giorgio.

Re: Capital One 360 Login Blocked

by billdfixer » Wed Feb 24, 2016 1:19 am

barbaz wrote:Surrogates are designed to make pages work with fewer scripts Allowed, so you'll find browsing without surrogates you need to Allow more sites' scripts than otherwise.

Please try re-enabling surrogates, then changing about:config > noscript.surrogate.ga.replacement to

Code: Select all

(function(){var _0=$S(function()_0),_u=function(){};_0.__noSuchMethod__=_0;('ga'in window)||(ga=_u);window.urchinTracker=window._u||_u;window._gaq=$S({__noSuchMethod__:_0,push:function(f){if(typeof f=='function')f();else if(f&&f.shift&&f[0]in this)this[f.shift()].apply(this,f)},_set:function(a,b){if(typeof b=='function')b()},_link:function(h){if(h)location.href=h},_linkByPost:function(f){if(f&&f.submit)f.submit();return true},_getLinkerUrl:function(u){return u},_trackEvent:_0});window._gat=$S({__noSuchMethod__:function(){return _gaq}})})()
Does that let it work?
Yes, that works - tested on both Windows 8.1 and Windows 7 both with Firefox 44.0.2 and NoScript 2.9.0.4.

If this is a fix, this thread can be marked as solved. If it is just a temporary work-around...?

Thanks, again, for your assistance, @barbaz

Re: Capital One 360 Login Blocked

by barbaz » Tue Feb 23, 2016 10:37 pm

Surrogates are designed to make pages work with fewer scripts Allowed, so you'll find browsing without surrogates you need to Allow more sites' scripts than otherwise.

Please try re-enabling surrogates, then changing about:config > noscript.surrogate.ga.replacement to

Code: Select all

(function(){var _0=$S(function()_0),_u=function(){};_0.__noSuchMethod__=_0;('ga'in window)||(ga=_u);window.urchinTracker=window._u||_u;window._gaq=$S({__noSuchMethod__:_0,push:function(f){if(typeof f=='function')f();else if(f&&f.shift&&f[0]in this)this[f.shift()].apply(this,f)},_set:function(a,b){if(typeof b=='function')b()},_link:function(h){if(h)location.href=h},_linkByPost:function(f){if(f&&f.submit)f.submit();return true},_getLinkerUrl:function(u){return u},_trackEvent:_0});window._gat=$S({__noSuchMethod__:function(){return _gaq}})})()
Does that let it work?

Re: Capital One 360 Login Blocked

by billdfixer » Tue Feb 23, 2016 10:16 pm

barbaz wrote:Ok looks like it's 'whac-a-mole' time. As a test, please disable the following NoScript features, one at a time / only one at once, in this order, until the site works:
6) surrogates: about:config > noscript.surrogate.enabled to false
Here are my results of the 'whac-a-mole' tests:

Firefox 44.0.2
NoScript 2.9.0.4
Windows 8.1

I went down the list one-by-one, as instructed. I cleared cookies and cache before performing each test.

What finally worked was changing item 6 to 'false', as instructed.

After that worked, I reset all of the other options back to their original/default settings - I was still able to login to this banking site.

I must say, I do not know enough about NoScript to know if setting surrogates to 'false' will effect other websites or reduce web security in any way. I also do not know how to implement surrogates so this option can be reset to the default of 'true.'

As a side note, I had another computer with Firefox 40.0.2, which I upgraded to NoScript 2.9.0.4 and I also could not login to this banking website - had to downgrade NoScript to 2.9.0.2 to allow login.

I do not know what all of this may mean but I hope that it helps those who do so that I can reset surrogates to 'true' and still be able to login to this banking website.

Thank you for your guidance with this, @barbaz.

Re: Capital One 360 Login Blocked

by barbaz » Mon Feb 22, 2016 3:33 am

Ok looks like it's 'whac-a-mole' time. As a test, please disable the following NoScript features, one at a time / only one at once, in this order, until the site works:
1) XSS: NoScript Options > Advanced > XSS, un-check everything
2) ABE: NoScript Options > Advanced > ABE > un-check "Enable ABE"
-> 2a) if that works, try re-enabling ABE and setting about:config > noscript.doNotTrack.enabled to false
3) ClearClick: NoScript Options > Advanced > ClearClick, un-check everything
4) Inclusion type checking: about:config > set noscript.inclusionTypeChecking to false
5) The other XSS filter: about:config > set noscript.xss.checkInclusions to false
6) surrogates: about:config > noscript.surrogate.enabled to false

Re: Capital One 360 Login Blocked

by billdfixer » Mon Feb 22, 2016 3:07 am

barbaz wrote:I find it really odd that Secure Cookies Management is pointed to as the culprit... and I assume that you clear cookies each time, otherwise those messages shouldn't happen (I think). Then again, the changelogs for 2.9.0.3 are incomplete...

Does clearing cookies and disabling Secure Cookies Management (NoScript Options > Advanced > HTTPS > Cookies) let latest development build work here?
Yes, Firefox clears cookies on each close and I have been closing and restarting Firefox before each test so testing is clean.

Disabling Secure Cookies Management in NoScript 2.9.0.4 does not resolve the problem - i.e. I still cannot login (as with NoScript 2.9.0.2).

The Console output only shows this below (which is reversed of what appears when running NoScript 2.9.0.2 - which works):

This message appears when the username field is clicked on:

Code: Select all

Use of getPreventDefault() is deprecated.  Use defaultPrevented instead. jquery-1.8.3.min.js:2:40351
These messages appear when I click the "Continue" button, after entering a username:

Code: Select all

Key event not available on some keyboard layouts: key="c" modifiers="accel,alt" browser.xul
Key event not available on some keyboard layouts: key="i" modifiers="accel,alt,shift" browser.xul
Key event not available on some keyboard layouts: key="m" modifiers="control,alt" browser.xul
The only variable that I have changed/tested is switching between NoScript 2.9.0.4 and 2.9.0.2 (which works), since trying NoScript 2.7 (which also works), with Firefox 44.0.2. @therube said FF 44.0.1 & NoScript 2.9.0.3 were giving expected responses.

Downgrading to NoScript 2.9.0.2 or completely disabling NoScript 2.9.0.4 are the only work-arounds that I have found so far.

Re: Capital One 360 Login Blocked

by barbaz » Sun Feb 21, 2016 5:24 pm

I find it really odd that Secure Cookies Management is pointed to as the culprit... and I assume that you clear cookies each time, otherwise those messages shouldn't happen (I think). Then again, the changelogs for 2.9.0.3 are incomplete...

Does clearing cookies and disabling Secure Cookies Management (NoScript Options > Advanced > HTTPS > Cookies) let latest development build work here?

Re: Capital One 360 Login Blocked

by billdfixer » Sun Feb 21, 2016 4:42 pm

barbaz wrote:Yes, downgrading to NS 2.9.0.2 while on Firefox 44.0 is reasonable to do.

This really doesn't sound like that one XSS issue that plagues an oddly massive number of financial sites. That issue didn't "regress" with NS 2.9.0.3.

With NoScript latest development build, when this issue occurs, do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)
With NoScript 2.9.0.4, this is what appears as the login page loads:

Code: Select all

[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: JSESSIONID=B726EDD01511A050ECE081FE5D0C832C; domain=secure.capitalone360.com; path=/myaccount/; HttpOnly; Secure

[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: DeviceDetails="{Device_Info=WEB, Site_Pref=NORMAL}"; domain=.capitalone360.com; path=/; Secure

[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: isso_mig=no; domain=.capitalone360.com; path=/; Secure

[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: BIGipServerpl_secure.capitalone360.com_80=1730193600.20480.0000; domain=secure.capitalone360.com; path=/; Secure

[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: BIGipServerpl_WA_secure.capitalone360.com_80=2754062528.20480.0000; domain=secure.capitalone360.com; path=/; Secure

[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: TLTSID=632D79A0F782B1EF5D5E87FF5FF88974; domain=.capitalone360.com; path=/; Secure

[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: TLTUID=BB4DEB2E218745D1E397389D8377F18F; domain=.capitalone360.com; path=/; Secure

[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=3070793738.20480.0000; domain=home.capitalone360.com; path=/; Secure

[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=3070793738.20480.0000; domain=home.capitalone360.com; path=/; Secure

[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=3070793738.20480.0000; domain=home.capitalone360.com; path=/; Secure

[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=1107859466.20480.0000; domain=home.capitalone360.com; path=/; Secure

[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=1107859466.20480.0000; domain=home.capitalone360.com; path=/; Secure

[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=3070793738.20480.0000; domain=home.capitalone360.com; path=/; Secure
This is what appears when I type the first character of a username:

Code: Select all

Key event not available on some keyboard layouts: key="c" modifiers="accel,alt" browser.xul

Key event not available on some keyboard layouts: key="i" modifiers="accel,alt,shift" browser.xul

Key event not available on some keyboard layouts: key="m" modifiers="control,alt" browser.xul
This is what appears when I click on the "Continue" button:

Code: Select all

Use of getPreventDefault() is deprecated.  Use defaultPrevented instead. jquery-1.8.3.min.js:2:40351
Note: Nothing more is processed when the "Continue" button is clicked and there is no further Console output when the "Continue" button is clicked repeatedly.


With NoScript 2.9.0.2 (which DOES allow me to login), this is what appears when I click on the username field (nothing is typed):

Code: Select all

Use of getPreventDefault() is deprecated.  Use defaultPrevented instead. jquery-1.8.3.min.js:2:40351
Note that this above message does not appear with NoScript 2.9.0.4 until after the "Continue" button is clicked.


Then, with NoScript 2.9.0.2, this is what appears when I type the first character of a username:

Code: Select all

Key event not available on some keyboard layouts: key="c" modifiers="accel,alt" browser.xul

Key event not available on some keyboard layouts: key="i" modifiers="accel,alt,shift" browser.xul

Key event not available on some keyboard layouts: key="m" modifiers="control,alt" browser.xul
Note that with NoScript 2.9.0.4, these above messages appear only when a character is typed into the username field and appear before the above noted "getPreventDefault()" message.

Hopefully there is something here that will lead to a better solution than downgrading.

Re: Capital One 360 Login Blocked

by barbaz » Sun Feb 21, 2016 2:04 am

Yes, downgrading to NS 2.9.0.2 while on Firefox 44.0 is reasonable to do.

This really doesn't sound like that one XSS issue that plagues an oddly massive number of financial sites. That issue didn't "regress" with NS 2.9.0.3.

With NoScript latest development build, when this issue occurs, do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)

Re: Capital One 360 Login Blocked

by billdfixer » Sat Feb 20, 2016 6:23 pm

Based on @therube reply, I upgraded NoScript from 2.7 to 2.9.0.2 and can now login using Firefox 44.0.2. I tried using 2.9.0.3 but the login problem happened again. Obviously, something changed after 2.9.0.2 that causes this login problem on this banking website.

Re: Capital One 360 Login Blocked

by barbaz » Fri Feb 19, 2016 8:55 pm

billdfixer wrote:Downgrading from NoScript 2.9.0.4 to NoScript 2.7 allows me to login to Capital One 360 without any problems and without changing any of my previous NoScript settings, just as I was able to do before.

Previous versions of NoScript can be found here: https://addons.mozilla.org/en-US/firefo ... /versions/

Downgrading NoScript may not be the best solution but I do not know of any other solution or how to provided needed information to fix the conflict.
Read viewtopic.php?p=81248#p81248 before downgrading below NoScript 2.9.0.1rc2.

Re: Capital One 360 Login Blocked

by therube » Fri Feb 19, 2016 8:22 pm

Signin page, the Continue takes me to Password screen.
Password is accepted & reports, Invalid, which is fine because I have login for Cap1.

So from my end, FF 44.0.1 & NoScript 2.9.0.3 (I'm a bit dated on each it seems) looks like it should work correctly. (At least I'm getting expected responses.)

Top