Noscript blocking Dashlane extension Firefox 50

Post a reply


In an effort to prevent automatic submissions, we require that you complete the following challenge.
Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: Noscript blocking Dashlane extension Firefox 50

Re: Noscript blocking Dashlane extension Firefox 50

by barbaz » Mon Nov 28, 2016 10:57 pm

^ Fixed.

Thanks for the info, and nice find on Joshua's part. Now let's condense that a bit and keep it restrictive -

Code: Select all

Site ^https?://(?:127\.0\.0\.1|localhost):(?:11456|15674|17896|21953|32934)/
Accept GET from about:blank 127.0.0.1 localhost

Re: Noscript blocking Dashlane extension Firefox 50

by pegasus41 » Mon Nov 28, 2016 10:23 pm

kuodos to dashlane tier 2 tech support (joshua):

Image

i tried posting the exact info but the spam filter kept getting me
dashlane uses the following ports: 11456 15674 17896 21953 32934

Code: Select all

# Dashlane exception
Site http://127.0.0.1:11456 http://127.0.0.1:15674 http://127.0.0.1:17896 http://127.0.0.1:21953 http://127.0.0.1:32934
Accept


the image should clear things up too. so the NEW question is: is the rule necessary or does the latest build make it OBE...

Re: Noscript blocking Dashlane extension Firefox 50

by Giorgio Maone » Mon Nov 28, 2016 5:28 pm

Please check latest development build 2.9.5.2rc4, thanks.

Re: Noscript blocking Dashlane extension Firefox 50

by pegasus41 » Sun Nov 27, 2016 8:58 pm

barbaz wrote:
pegasus41 wrote:actually i think this may be pertinent to the dashlane issue; what is "45872"?
Inquiring dashlane users may need an equivalent instead of the global allow all 127.0.0.1

No such equivalent AFAIK. Based on the console messages posted earlier, Dashlane appears to use random ports with no obvious pattern.


ok, i think i finally get it. that "45872" is a static port used by the other password pgm while dashlane uses random ports.
i have learned a lot from this thread - thanks.

Re: Noscript blocking Dashlane extension Firefox 50

by barbaz » Sat Nov 26, 2016 11:15 pm

pegasus41 wrote:actually i think this may be pertinent to the dashlane issue; what is "45872"?
Inquiring dashlane users may need an equivalent instead of the global allow all 127.0.0.1

No such equivalent AFAIK. Based on the console messages posted earlier, Dashlane appears to use random ports with no obvious pattern.

Re: Noscript blocking Dashlane extension Firefox 50

by pegasus41 » Sat Nov 26, 2016 11:02 pm

Guest wrote:
im3or wrote:
Yes, there are. Sticky password is one of them.

I am using this ruleset to get around ABE blocking sticky password extension:

Code: Select all

Site localhost:45872
Accept GET from about:blank localhost:45872
# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny


Is "45872" specific to sticky password extension? if so, how did you know to use it?


actually i think this may be pertinent to the dashlane issue; what is "45872"?
Inquiring dashlane users may need an equivalent instead of the global allow all 127.0.0.1

Mine is working for now with the global rule quoted in this thread but i am not comfortable not knowing what i am missing.
Dashlane tech support suggested disabling ABE entirely but that is the lazy-man way...

Re: Dashlane Broken With Update

by barbaz » Sat Nov 26, 2016 7:30 pm

@muhdashlane Merged your post with the existing thread on the problem.

Dashlane Broken With Update

by muhdashlane » Sat Nov 26, 2016 7:17 pm

Me and a friend's Dashlane Firefox addon broke a few days ago or so and after testing all of my addons I found disabling Noscript to be the solution. Reinstalling, resetting, or disabling features individually (including parts like ABE, allowing all scripts, etc.) did not seem to fix it. Disabling my other addons had no effect.

Edit: Can confirm that copy pasting:

Site 127.0.0.1 localhost
Accept GET from about:blank 127.0.0.1 localhost

above Abe's system ruleset appears to fix the problem. Thank you!

Re: Noscript blocking Dashlane extension Firefox 50

by barbaz » Fri Nov 25, 2016 5:28 pm

Guest wrote:Is "45872" specific to sticky password extension? if so, how did you know to use it?

Guest, you're looking for the Browser Console (Ctrl-Shift-J) - https://noscript.net/abe/users.html

This is off-topic in this thread, so please start a new thread if you have further questions about making ABE exceptions.

Re: Noscript blocking Dashlane extension Firefox 50

by Guest » Fri Nov 25, 2016 5:24 pm

im3or wrote:
Yes, there are. Sticky password is one of them.

I am using this ruleset to get around ABE blocking sticky password extension:

Code: Select all

Site localhost:45872
Accept GET from about:blank localhost:45872
# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny


Is "45872" specific to sticky password extension? if so, how did you know to use it?

Re: Noscript blocking Dashlane extension Firefox 50

by barbaz » Fri Nov 25, 2016 3:27 pm

Thanks!

idf wrote:If it's true that about:blank is not local, then my guess is there was a bug or oversight in NoScript that treated it as if it is, and that hole was sealed in 2.9.5.

moz-nullprincipal: URIs are not part of LOCAL either, yet something changed in NoScript 2.9.5 that they too are being blocked by ABE - viewtopic.php?f=10&t=22314

There have been a number of issues like this with NoScript 2.9.5. That's why I'm thinking the new NoScript behavior is the bug.

Re: Noscript blocking Dashlane extension Firefox 50

by im3or » Fri Nov 25, 2016 11:31 am

idf wrote:If it's true that about:blank is not local, then my guess is there was a bug or oversight in NoScript that treated it as if it is, and that hole was sealed in 2.9.5. But this exposed the problem with Dashlane - and perhaps there are other extensions that do something similar?


Yes, there are. Sticky password is one of them.

I am using this ruleset to get around ABE blocking sticky password extension:

Code: Select all

Site localhost:45872
Accept GET from about:blank localhost:45872
# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny

Re: Noscript blocking Dashlane extension Firefox 50

by idf » Fri Nov 25, 2016 7:21 am

I don't think all that testing is necessary based on the timeline I posted previously, but I did it anyway.

I just downgraded NoScript to 2.9.0.14 on FF 50 for Windows, and removed the new ABE rule. Dashlane works perfectly. The only ABE notice in the console is

Code: Select all

[ABE WAN] Detected WAN IP <my public IP address>


which does not seem to be of any significance.

I then updated NoScript back to 2.9.5.1. Dashlane no longer works. All the ABE Deny errors are in the console again:

Code: Select all

[ABE] < LOCAL> Deny on {GET http://127.0.0.1:17896/ <<< about:blank - 1}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny


If it's true that about:blank is not local, then my guess is there was a bug or oversight in NoScript that treated it as if it is, and that hole was sealed in 2.9.5. But this exposed the problem with Dashlane - and perhaps there are other extensions that do something similar?

Re: Noscript blocking Dashlane extension Firefox 50

by barbaz » Fri Nov 25, 2016 3:24 am

Hmm, maybe I have the wrong impression here? Dashlane may be operating in a less-than-ideal way, but that doesn't make it Dashlane's fault that NoScript changed behavior...if that's what happened here. Every reporter seems to have got many updates in close succession, so let's really check this for sure.

Can someone who is affected please try -
1) Remove any work-arounds you've added for this issue
2) Downgrade NoScript to 2.9.0.14
Old NoScript @
https://addons.mozilla.org/addon/noscript/versions
*or*
https://noscript.net/feed?c=100&t=a

3) Try Dashlane again. Does it work?
4) Check the Browser Console (Ctrl-Shift-J) for any ABE-related messages

Please let us know the results, thanks.

Re: Noscript blocking Dashlane extension Firefox 50

by Thrawn » Fri Nov 25, 2016 3:10 am

In a nutshell: because of the behavior of the extension, 'about:blank' (ie the canonical blank page) is trying to access localhost. ABE already permits local sites to access localhost, but about:blank isn't considered to be local.

Theoretically, though, I think it's possible for a page with scripts enabled to create a new blank page and write scripts into it. So I don't think that about:blank should be automatically whitelisted for talking to the LAN. It's unfortunate that Dashlane is working this way. Being an extension and therefore privileged, Dashlane should be able to use other, non-ABE-controlled methods of talking to localhost.

Top