NS 5.0.4 & later - XSS filter stalls firefox on Postillon

Bug reports and enhancement requests

NS 5.0.4 & later - XSS filter stalls firefox on Postillon

Postby cepheus » Mon May 15, 2017 10:38 am

Hello,

since version 5.0.4, firefox hangs after opening the following url: http://www.der-postillon.com/. The whole window seems unresponsive, even when e10s is enabled. I tried several combinations of firefox 52.1 and current nightly (55.0a1), with e10s enabled or disabled, on linux and windows. Every time with NoScript as the only addon. It does not happen without NoScript. If you wait long enough (several minutes), the process eventually returns, but this is an unacceptable long halt.

Current nightly, NoScript default settings, yields this webbrowser console log:
Code: Select all
On Startpage.  www.der-postillon.com:3242
req.getResponseHeader is not a function  Main.js:1639
req.getResponseHeader is not a function  Main.js:1639
Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user’s experience. For more help http://xhr.spec.whatwg.org/  ifr:233:8
req.getResponseHeader is not a function  Main.js:1639
[NoScript InjectionChecker] JavaScript Injection in b;a.google_image_requests.push(c)};var
(function anonymous(
) {
b;a.google_image_requests.push(c) /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS]: sanitized window.name, "1-0-8;8345;<!doctype html><html><head><script>(function(){window.rumTick=function(c){var b=window,a=b.performance;c&&a&&a.now&&(a=a.now(),b.google_js_reporting_queue=b.google_js_reporting_queue||[],b.google_js_reporting_queue.push({label:c,type:4,value:a,uniqueId:"rum."+Math.random()}))};}).call(this);rumTick('fb');</script><script>var google_casm=["",0,null,0,0];</script></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0"><script>(function(){var g=this,l=function(a,b){var c=a.split("."),d=g;c[0]in d||!d.execScript||d.execScript("var "+c[0]);for(var e;c.length&&(e=c.shift());)c.length||void 0===b?d=d[e]?d[e]:d[e]={}:d[e]=b},m=function(a,b,c){return a.call.apply(a.bind,arguments)},n=function(a,b,c){if(!a)throw Error();if(2<arguments.length){var d=Array.prototype.slice.call(arguments,2);return function(){var c=Array.prototype.slice.call(arguments);Array.prototype.unshift.apply(c,d);return a.apply(b,c)}}return function(){retur
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html
req.getResponseHeader is not a function  Main.js:1639
req.getResponseHeader is not a function  Main.js:1639
initOnebyOne  postillon.js:100
TypeError: gadgets.window.setTitle is not a function  ifr:45:9
initTwobyTwo  postillon.js:124
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
req.getResponseHeader is not a function  Main.js:1639
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://googleads.g.doubleclick.net/pagead/id. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).  (unknown)
[NoScript InjectionChecker] JavaScript Injection in b;a.google_image_requests.push(c)};var
(function anonymous(
) {
b;a.google_image_requests.push(c) /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS]: sanitized window.name, "1-0-8;6195;<html>
<head>
</head><body><script src="https://tpc.googlesyndication.com/safeframe/1-0-8/js/ext.js"></script><script>(function(){var g=this,l=function(a,b){var c=a.split("."),d=g;c[0]in d||!d.execScript||d.execScript("var "+c[0]);for(var e;c.length&&(e=c.shift());)c.length||void 0===b?d=d[e]?d[e]:d[e]={}:d[e]=b},m=function(a,b,c){return a.call.apply(a.bind,arguments)},n=function(a,b,c){if(!a)throw Error();if(2<arguments.length){var d=Array.prototype.slice.call(arguments,2);return function(){var c=Array.prototype.slice.call(arguments);Array.prototype.unshift.apply(c,d);return a.apply(b,c)}}return function(){return a.apply(b,arguments)}},p=function(a,b,c){p=Function.prototype.bind&&-1!=Function.prototype.bind.toString().indexOf("native code")?m:n;return p.apply(null,arguments)},q=Date.now||function(){return+new Date};var r=document,s=window;var t=function(a,b){for(var c in a)Object.prototype.hasOwnProperty.call(a,c)&&b.call(null,a[c],c,
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html?n=1
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html?n=1
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
req.getResponseHeader is not a function  Main.js:1639
start workaround for skyscraper-sticky  www.der-postillon.com:1648
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
about:blank : Unable to run script because scripts are blocked internally.  (unknown)


For comparison, their englisch website loads reasonably fast (www.the-postillon.com). Log from there:
Code: Select all
Key event not available on some keyboard layouts: key=“r” modifiers=“accel,alt” id=“key_toggleReaderMode”  browser.xul
Key event not available on some keyboard layouts: key=“i” modifiers=“accel,alt,shift” id=“key_browserToolbox”  browser.xul
Using //@ to indicate sourceMappingURL pragmas is deprecated. Use //# instead  jquery.min.js:1
On Startpage.  www.the-postillon.com:2659
req.getResponseHeader is not a function  Main.js:1639
XML Parsing Error: syntax error
Location: http://www.the-postillon.com/
Line Number 1, Column 1:  www.the-postillon.com:1:1
req.getResponseHeader is not a function  Main.js:1639
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
req.getResponseHeader is not a function  Main.js:1639
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
req.getResponseHeader is not a function  Main.js:1639
"js complete: https://s0.2mdn.net/creatives/assets/1968018/DR2_Multi-Football_v01_160x600.js"  main.js:1
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
start workaround for skyscraper-sticky  www.the-postillon.com:1609
Use of getPreventDefault() is deprecated.  Use defaultPrevented instead.  jquery.min.js:5:17101
about:blank : Unable to run script because scripts are blocked internally.  (unknown)


Thank you
Last edited by barbaz on Fri May 26, 2017 9:54 pm, edited 2 times in total.
Reason: adjust title to better describe the NoScript bug
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
cepheus
 
Posts: 10
Joined: Thu Apr 06, 2017 12:54 pm

Re: NoScript 5.0.4 stalls firefox on www.der-postillon.com

Postby barbaz » Mon May 15, 2017 2:18 pm

*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7735
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript 5.0.4 stalls firefox on www.der-postillon.com

Postby cepheus » Mon May 15, 2017 2:57 pm

I think the "safeframe" in the log is a red herring: My problem is not markup or script source code on the website (i don't see any), my problem is an unresponsive firefox process. All other websites from the "safeframe" search result threads load really fast.

With www.der-postillon.com - even blocking googlesydication.com completely with ABE does not solve the "hang" problem. Like:

Code: Select all
Site .googlesyndication.com
Accept from .googlesyndication.com
Deny
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
cepheus
 
Posts: 10
Joined: Thu Apr 06, 2017 12:54 pm

Re: NoScript 5.0.4 stalls firefox on www.der-postillon.com

Postby cepheus » Mon May 15, 2017 3:09 pm

New data: The "hang" goes away with "Sanitize cross-site suspicious requests" off.

However, I would like to keep that option on. The hang does also occur with the following insane ABE rule:
Code: Select all
Site .der-postillon.com
Accept
Site *
Deny


So it seems that XSS protection is processed before ABE. And it is processed in the main thread. And in this one case, it takes so long that the browser is unusable for several minutes. Could the processing order be changed? If ABE filters the domain, the XSS protection should never be called.
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
cepheus
 
Posts: 10
Joined: Thu Apr 06, 2017 12:54 pm

Re: NoScript 5.0.4 stalls firefox on www.der-postillon.com

Postby barbaz » Mon May 15, 2017 3:44 pm

Try this ABE rule -
Code: Select all
Site tpc.googlesyndication.com
Deny


If that alone doesn't do it, add this XSS exception -
Code: Select all
^https?://tpc\.googlesyndication\.com[/:]

It's safe because you're blocking the whole site with ABE anyway, so it doesn't matter what the XSS filter does or doesn't do.
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7735
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript 5.0.4 stalls firefox on www.der-postillon.com

Postby therube » Mon May 15, 2017 4:04 pm

(Confirmed regression between noscript-5.0.3rc5.xpi & noscript-5.0.4rc3.xpi, Win XP, FF 52.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 SeaMonkey/2.49.1 Lightning/5.4
User avatar
therube
Ambassador
 
Posts: 6769
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

[Config workaround] NoScript 5.0.4 stalls firefox on Postill

Postby cepheus » Tue May 16, 2017 8:55 am

barbaz wrote:Try this ABE rule -
...tpc.googlesyndication.com


googlesyndication.com is not the culprit, but I found it: blogger-opensocial.googleusercontent.com. According to umatrix, two frames from there are in the main website.

I can get rid of the hang (with XSS protection enabled) with the following rules:

XSS exception:
Code: Select all
^https?://www\-blogger\-opensocial\.googleusercontent\.com[/:]


ABE rule to keep privacy:
Code: Select all
Site .googleusercontent.com
Accept from .google.com .googleusercontent.com
Deny INC
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
cepheus
 
Posts: 10
Joined: Thu Apr 06, 2017 12:54 pm

NoScript cause "firefox not responding" on some sites

Postby baltasar4711 » Wed May 24, 2017 9:16 pm

Recent changes to NoScript causes to freez firefox on some site e.g. "http://www.der-postillon.com/" and man others. Sometime firefox comes back after some time ( 10 - 60 Seconds). Most of the time only a "hard close" helps.

I was trying to monitor the problem with onboard tools: Showing long time delays without a cause. "Runtime analyse" show many "small GC" with cause "nursery full".

Firefox: 53.0.3 (32 bit) on windows 7 64bit
NoScript 5.0.4

Hope you can fix this great Plugin!
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
baltasar4711
 
Posts: 1
Joined: Wed May 24, 2017 8:58 pm

Re: [Config workaround] NS 5.0.4 stalls firefox on Postillon

Postby barbaz » Wed May 24, 2017 10:09 pm

Threads merged.
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7735
Joined: Sat Aug 03, 2013 5:45 pm

Re: [Config workaround] NS 5.0.4 stalls firefox on Postillon

Postby cepheus » Thu May 25, 2017 9:50 am

Recent changes to NoScript causes to freez firefox on some site e.g. "http://www.der-postillon.com/" and man others.


Workarounds: See above, XSS exception for www-blogger-opensocial.googleusercontent.com (or other 3rd party sites), or disallow IFrames.
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
cepheus
 
Posts: 10
Joined: Thu Apr 06, 2017 12:54 pm

Re: [Config workaround] NS 5.0.4 stalls firefox on Postillon

Postby barbaz » Thu May 25, 2017 12:58 pm

And if you do add an XSS exception, make sure to completely block the site(s) allowed by the exception. This is actual XSS, it's not safe to just allow.
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7735
Joined: Sat Aug 03, 2013 5:45 pm

Re: [Config workaround] NS 5.0.4 stalls firefox on Postillon

Postby cepheus » Fri May 26, 2017 10:52 am

barbaz wrote:And if you do add an XSS exception, make sure to completely block the site(s) allowed by the exception. This is actual XSS, it's not safe to just allow.


Yes it is wise to block everything 3rd-part google* in ABE, be it just for privacy reasons. However, to be clear: I don't think that googleusercontent.com does any fishy XSS, but NoScript just chokes while calculating a decision. When I wait long enough, firefox responds again. There is no XSS warning. This can take from 1 to 10 minutes. This is a bug in NoScript 5.0.4, or a combination of NoScript and firefox bugs.
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
cepheus
 
Posts: 10
Joined: Thu Apr 06, 2017 12:54 pm

Re: [Config workaround] NS 5.0.4 stalls firefox on Postillon

Postby barbaz » Fri May 26, 2017 3:03 pm

cepheus wrote: I don't think that googleusercontent.com does any fishy XSS,

When dealing with security threats, we need facts, not just individuals' thoughts.

These are the facts -
cepheus wrote:
Code: Select all
[NoScript InjectionChecker] JavaScript Injection in b;a.google_image_requests.push(c)};var
(function anonymous(
) {
b;a.google_image_requests.push(c) /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS]: sanitized window.name, "1-0-8;8345;<!doctype html><html><head><script>(function(){window.rumTick=function(c){var b=window,a=b.performance;c&&a&&a.now&&(a=a.now(),b.google_js_reporting_queue=b.google_js_reporting_queue||[],b.google_js_reporting_queue.push({label:c,type:4,value:a,uniqueId:"rum."+Math.random()}))};}).call(this);rumTick('fb');</script><script>var google_casm=["",0,null,0,0];</script></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0"><script>(function(){var g=this,l=function(a,b){var c=a.split("."),d=g;c[0]in d||!d.execScript||d.execScript("var "+c[0]);for(var e;c.length&&(e=c.shift());)c.length||void 0===b?d=d[e]?d[e]:d[e]={}:d[e]=b},m=function(a,b,c){return a.call.apply(a.bind,arguments)},n=function(a,b,c){if(!a)throw Error();if(2<arguments.length){var d=Array.prototype.slice.call(arguments,2);return function(){var c=Array.prototype.slice.call(arguments);Array.prototype.unshift.apply(c,d);return a.apply(b,c)}}return function(){retur
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html

cepheus wrote:
Code: Select all
[NoScript InjectionChecker] JavaScript Injection in b;a.google_image_requests.push(c)};var
(function anonymous(
) {
b;a.google_image_requests.push(c) /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS]: sanitized window.name, "1-0-8;6195;<html>
<head>
</head><body><script src="https://tpc.googlesyndication.com/safeframe/1-0-8/js/ext.js"></script><script>(function(){var g=this,l=function(a,b){var c=a.split("."),d=g;c[0]in d||!d.execScript||d.execScript("var "+c[0]);for(var e;c.length&&(e=c.shift());)c.length||void 0===b?d=d[e]?d[e]:d[e]={}:d[e]=b},m=function(a,b,c){return a.call.apply(a.bind,arguments)},n=function(a,b,c){if(!a)throw Error();if(2<arguments.length){var d=Array.prototype.slice.call(arguments,2);return function(){var c=Array.prototype.slice.call(arguments);Array.prototype.unshift.apply(c,d);return a.apply(b,c)}}return function(){return a.apply(b,arguments)}},p=function(a,b,c){p=Function.prototype.bind&&-1!=Function.prototype.bind.toString().indexOf("native code")?m:n;return p.apply(null,arguments)},q=Date.now||function(){return+new Date};var r=document,s=window;var t=function(a,b){for(var c in a)Object.prototype.hasOwnProperty.call(a,c)&&b.call(null,a[c],c,
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html?n=1
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html?n=1


Passing HTML code around in window.name, especially when said code contains JavaScript, is just begging, screaming hysterically, 'Please, *please* XSS me!!!!! I'm vulnerable to XSS!!!! Please, XSS me!!!!!! XSS me!!!!!!!!!!'

No sane person would want that in their browser.
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7735
Joined: Sat Aug 03, 2013 5:45 pm

Re: [Config workaround] NS 5.0.4 stalls firefox on Postillon

Postby cepheus » Fri May 26, 2017 3:34 pm

No, the window.name sanitiation is a false flag. That was from googlesyndication.com, while NoScript chokes on something from www-blogger-opensocial.googleusercontent.com. Here is a new log from today. Firefox 55 nightly from today, NoScript 5.0.4 with javascript allowed globally. Other settings default:

https://bpaste.net/show/fed48feb081f

No mention of window.name sanitation or anything XSS or Injection. Firefox still stalls very long. This is a different problem than in the threads about unwanted code fragments and the insane "window.name" code injection.
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
cepheus
 
Posts: 10
Joined: Thu Apr 06, 2017 12:54 pm

Re: [Config workaround] NS 5.0.4 stalls firefox on Postillon

Postby barbaz » Fri May 26, 2017 4:08 pm

In your latest log I notice this -
Code: Select all
GET
http://www-blogger-opensocial.googleusercontent.com/gadgets/js/core.js [HTTP/1.1 200 OK 40ms]
req.getResponseHeader is not a function  Main.js:1639

That last line is a bug in 5.0.4 which is fixed in NoScript latest development build.

Does the hanging occur with NoScript latest development build?
*Always* check the changelogs BEFORE updating that important software!
Board search is currently partially broken: https://forums.informaction.com/viewtopic.php?f=14&t=21752
Workaround: use your favorite search engine, add site:forums.informaction.com to your query
-
barbaz
Senior Member
 
Posts: 7735
Joined: Sat Aug 03, 2013 5:45 pm

Next

Return to NoScript Development

Who is online

Users browsing this forum: No registered users and 2 guests