NS 5.0.4 & later - XSS filter stalls firefox on Postillon

Bug reports and enhancement requests
cepheus
Posts: 10
Joined: Thu Apr 06, 2017 12:54 pm

NS 5.0.4 & later - XSS filter stalls firefox on Postillon

Post by cepheus »

Hello,

since version 5.0.4, firefox hangs after opening the following url: http://www.der-postillon.com/. The whole window seems unresponsive, even when e10s is enabled. I tried several combinations of firefox 52.1 and current nightly (55.0a1), with e10s enabled or disabled, on linux and windows. Every time with NoScript as the only addon. It does not happen without NoScript. If you wait long enough (several minutes), the process eventually returns, but this is an unacceptable long halt.

Current nightly, NoScript default settings, yields this webbrowser console log:

Code: Select all

On Startpage.  www.der-postillon.com:3242
req.getResponseHeader is not a function  Main.js:1639
req.getResponseHeader is not a function  Main.js:1639
Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user’s experience. For more help http://xhr.spec.whatwg.org/  ifr:233:8
req.getResponseHeader is not a function  Main.js:1639
[NoScript InjectionChecker] JavaScript Injection in b;a.google_image_requests.push(c)};var
(function anonymous(
) {
b;a.google_image_requests.push(c) /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS]: sanitized window.name, "1-0-8;8345;<!doctype html><html><head><script>(function(){window.rumTick=function(c){var b=window,a=b.performance;c&&a&&a.now&&(a=a.now(),b.google_js_reporting_queue=b.google_js_reporting_queue||[],b.google_js_reporting_queue.push({label:c,type:4,value:a,uniqueId:"rum."+Math.random()}))};}).call(this);rumTick('fb');</script><script>var google_casm=["",0,null,0,0];</script></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0"><script>(function(){var g=this,l=function(a,b){var c=a.split("."),d=g;c[0]in d||!d.execScript||d.execScript("var "+c[0]);for(var e;c.length&&(e=c.shift());)c.length||void 0===b?d=d[e]?d[e]:d[e]={}:d[e]=b},m=function(a,b,c){return a.call.apply(a.bind,arguments)},n=function(a,b,c){if(!a)throw Error();if(2<arguments.length){var d=Array.prototype.slice.call(arguments,2);return function(){var c=Array.prototype.slice.call(arguments);Array.prototype.unshift.apply(c,d);return a.apply(b,c)}}return function(){retur
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html
req.getResponseHeader is not a function  Main.js:1639
req.getResponseHeader is not a function  Main.js:1639
initOnebyOne  postillon.js:100
TypeError: gadgets.window.setTitle is not a function  ifr:45:9
initTwobyTwo  postillon.js:124
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
req.getResponseHeader is not a function  Main.js:1639
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://googleads.g.doubleclick.net/pagead/id. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).  (unknown)
[NoScript InjectionChecker] JavaScript Injection in b;a.google_image_requests.push(c)};var
(function anonymous(
) {
b;a.google_image_requests.push(c) /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS]: sanitized window.name, "1-0-8;6195;<html>
<head>
</head><body><script src="https://tpc.googlesyndication.com/safeframe/1-0-8/js/ext.js"></script><script>(function(){var g=this,l=function(a,b){var c=a.split("."),d=g;c[0]in d||!d.execScript||d.execScript("var "+c[0]);for(var e;c.length&&(e=c.shift());)c.length||void 0===b?d=d[e]?d[e]:d[e]={}:d[e]=b},m=function(a,b,c){return a.call.apply(a.bind,arguments)},n=function(a,b,c){if(!a)throw Error();if(2<arguments.length){var d=Array.prototype.slice.call(arguments,2);return function(){var c=Array.prototype.slice.call(arguments);Array.prototype.unshift.apply(c,d);return a.apply(b,c)}}return function(){return a.apply(b,arguments)}},p=function(a,b,c){p=Function.prototype.bind&&-1!=Function.prototype.bind.toString().indexOf("native code")?m:n;return p.apply(null,arguments)},q=Date.now||function(){return+new Date};var r=document,s=window;var t=function(a,b){for(var c in a)Object.prototype.hasOwnProperty.call(a,c)&&b.call(null,a[c],c,
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html?n=1
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html?n=1
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
req.getResponseHeader is not a function  Main.js:1639
start workaround for skyscraper-sticky  www.der-postillon.com:1648
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
For comparison, their englisch website loads reasonably fast (www.the-postillon.com). Log from there:

Code: Select all

Key event not available on some keyboard layouts: key=“r” modifiers=“accel,alt” id=“key_toggleReaderMode”  browser.xul
Key event not available on some keyboard layouts: key=“i” modifiers=“accel,alt,shift” id=“key_browserToolbox”  browser.xul
Using //@ to indicate sourceMappingURL pragmas is deprecated. Use //# instead  jquery.min.js:1
On Startpage.  www.the-postillon.com:2659
req.getResponseHeader is not a function  Main.js:1639
XML Parsing Error: syntax error
Location: http://www.the-postillon.com/
Line Number 1, Column 1:  www.the-postillon.com:1:1
req.getResponseHeader is not a function  Main.js:1639
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
req.getResponseHeader is not a function  Main.js:1639
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
req.getResponseHeader is not a function  Main.js:1639
"js complete: https://s0.2mdn.net/creatives/assets/1968018/DR2_Multi-Football_v01_160x600.js"  main.js:1
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
start workaround for skyscraper-sticky  www.the-postillon.com:1609
Use of getPreventDefault() is deprecated.  Use defaultPrevented instead.  jquery.min.js:5:17101
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
Thank you
Last edited by barbaz on Fri May 26, 2017 9:54 pm, edited 2 times in total.
Reason: adjust title to better describe the NoScript bug
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript 5.0.4 stalls firefox on www.der-postillon.com

Post by barbaz »

*Always* check the changelogs BEFORE updating that important software!
-
cepheus
Posts: 10
Joined: Thu Apr 06, 2017 12:54 pm

Re: NoScript 5.0.4 stalls firefox on www.der-postillon.com

Post by cepheus »

I think the "safeframe" in the log is a red herring: My problem is not markup or script source code on the website (i don't see any), my problem is an unresponsive firefox process. All other websites from the "safeframe" search result threads load really fast.

With www.der-postillon.com - even blocking googlesydication.com completely with ABE does not solve the "hang" problem. Like:

Code: Select all

Site .googlesyndication.com
Accept from .googlesyndication.com
Deny
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
cepheus
Posts: 10
Joined: Thu Apr 06, 2017 12:54 pm

Re: NoScript 5.0.4 stalls firefox on www.der-postillon.com

Post by cepheus »

New data: The "hang" goes away with "Sanitize cross-site suspicious requests" off.

However, I would like to keep that option on. The hang does also occur with the following insane ABE rule:

Code: Select all

Site .der-postillon.com
Accept
Site *
Deny
So it seems that XSS protection is processed before ABE. And it is processed in the main thread. And in this one case, it takes so long that the browser is unusable for several minutes. Could the processing order be changed? If ABE filters the domain, the XSS protection should never be called.
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript 5.0.4 stalls firefox on www.der-postillon.com

Post by barbaz »

Try this ABE rule -

Code: Select all

Site tpc.googlesyndication.com
Deny
If that alone doesn't do it, add this XSS exception -

Code: Select all

^https?://tpc\.googlesyndication\.com[/:]
It's safe because you're blocking the whole site with ABE anyway, so it doesn't matter what the XSS filter does or doesn't do.
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
therube
Ambassador
Posts: 7922
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: NoScript 5.0.4 stalls firefox on www.der-postillon.com

Post by therube »

(Confirmed regression between noscript-5.0.3rc5.xpi & noscript-5.0.4rc3.xpi, Win XP, FF 52.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 SeaMonkey/2.49.1 Lightning/5.4
cepheus
Posts: 10
Joined: Thu Apr 06, 2017 12:54 pm

[Config workaround] NoScript 5.0.4 stalls firefox on Postill

Post by cepheus »

barbaz wrote:Try this ABE rule -
...tpc.googlesyndication.com
googlesyndication.com is not the culprit, but I found it: blogger-opensocial.googleusercontent.com. According to umatrix, two frames from there are in the main website.

I can get rid of the hang (with XSS protection enabled) with the following rules:

XSS exception:

Code: Select all

^https?://www\-blogger\-opensocial\.googleusercontent\.com[/:]
ABE rule to keep privacy:

Code: Select all

Site .googleusercontent.com
Accept from .google.com .googleusercontent.com
Deny INC
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
baltasar4711
Posts: 1
Joined: Wed May 24, 2017 8:58 pm

NoScript cause "firefox not responding" on some sites

Post by baltasar4711 »

Recent changes to NoScript causes to freez firefox on some site e.g. "http://www.der-postillon.com/" and man others. Sometime firefox comes back after some time ( 10 - 60 Seconds). Most of the time only a "hard close" helps.

I was trying to monitor the problem with onboard tools: Showing long time delays without a cause. "Runtime analyse" show many "small GC" with cause "nursery full".

Firefox: 53.0.3 (32 bit) on windows 7 64bit
NoScript 5.0.4

Hope you can fix this great Plugin!
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: [Config workaround] NS 5.0.4 stalls firefox on Postillon

Post by barbaz »

Threads merged.
*Always* check the changelogs BEFORE updating that important software!
-
cepheus
Posts: 10
Joined: Thu Apr 06, 2017 12:54 pm

Re: [Config workaround] NS 5.0.4 stalls firefox on Postillon

Post by cepheus »

Recent changes to NoScript causes to freez firefox on some site e.g. "http://www.der-postillon.com/" and man others.
Workarounds: See above, XSS exception for www-blogger-opensocial.googleusercontent.com (or other 3rd party sites), or disallow IFrames.
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: [Config workaround] NS 5.0.4 stalls firefox on Postillon

Post by barbaz »

And if you do add an XSS exception, make sure to completely block the site(s) allowed by the exception. This is actual XSS, it's not safe to just allow.
*Always* check the changelogs BEFORE updating that important software!
-
cepheus
Posts: 10
Joined: Thu Apr 06, 2017 12:54 pm

Re: [Config workaround] NS 5.0.4 stalls firefox on Postillon

Post by cepheus »

barbaz wrote:And if you do add an XSS exception, make sure to completely block the site(s) allowed by the exception. This is actual XSS, it's not safe to just allow.
Yes it is wise to block everything 3rd-part google* in ABE, be it just for privacy reasons. However, to be clear: I don't think that googleusercontent.com does any fishy XSS, but NoScript just chokes while calculating a decision. When I wait long enough, firefox responds again. There is no XSS warning. This can take from 1 to 10 minutes. This is a bug in NoScript 5.0.4, or a combination of NoScript and firefox bugs.
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: [Config workaround] NS 5.0.4 stalls firefox on Postillon

Post by barbaz »

cepheus wrote: I don't think that googleusercontent.com does any fishy XSS,
When dealing with security threats, we need facts, not just individuals' thoughts.

These are the facts -
cepheus wrote:

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in b;a.google_image_requests.push(c)};var
(function anonymous(
) {
b;a.google_image_requests.push(c) /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS]: sanitized window.name, "1-0-8;8345;<!doctype html><html><head><script>(function(){window.rumTick=function(c){var b=window,a=b.performance;c&&a&&a.now&&(a=a.now(),b.google_js_reporting_queue=b.google_js_reporting_queue||[],b.google_js_reporting_queue.push({label:c,type:4,value:a,uniqueId:"rum."+Math.random()}))};}).call(this);rumTick('fb');</script><script>var google_casm=["",0,null,0,0];</script></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0"><script>(function(){var g=this,l=function(a,b){var c=a.split("."),d=g;c[0]in d||!d.execScript||d.execScript("var "+c[0]);for(var e;c.length&&(e=c.shift());)c.length||void 0===b?d=d[e]?d[e]:d[e]={}:d[e]=b},m=function(a,b,c){return a.call.apply(a.bind,arguments)},n=function(a,b,c){if(!a)throw Error();if(2<arguments.length){var d=Array.prototype.slice.call(arguments,2);return function(){var c=Array.prototype.slice.call(arguments);Array.prototype.unshift.apply(c,d);return a.apply(b,c)}}return function(){retur
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html
cepheus wrote:

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in b;a.google_image_requests.push(c)};var
(function anonymous(
) {
b;a.google_image_requests.push(c) /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS]: sanitized window.name, "1-0-8;6195;<html>
<head>
</head><body><script src="https://tpc.googlesyndication.com/safeframe/1-0-8/js/ext.js"></script><script>(function(){var g=this,l=function(a,b){var c=a.split("."),d=g;c[0]in d||!d.execScript||d.execScript("var "+c[0]);for(var e;c.length&&(e=c.shift());)c.length||void 0===b?d=d[e]?d[e]:d[e]={}:d[e]=b},m=function(a,b,c){return a.call.apply(a.bind,arguments)},n=function(a,b,c){if(!a)throw Error();if(2<arguments.length){var d=Array.prototype.slice.call(arguments,2);return function(){var c=Array.prototype.slice.call(arguments);Array.prototype.unshift.apply(c,d);return a.apply(b,c)}}return function(){return a.apply(b,arguments)}},p=function(a,b,c){p=Function.prototype.bind&&-1!=Function.prototype.bind.toString().indexOf("native code")?m:n;return p.apply(null,arguments)},q=Date.now||function(){return+new Date};var r=document,s=window;var t=function(a,b){for(var c in a)Object.prototype.hasOwnProperty.call(a,c)&&b.call(null,a[c],c,
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html?n=1
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html?n=1
Passing HTML code around in window.name, especially when said code contains JavaScript, is just begging, screaming hysterically, 'Please, *please* XSS me!!!!! I'm vulnerable to XSS!!!! Please, XSS me!!!!!! XSS me!!!!!!!!!!'

No sane person would want that in their browser.
*Always* check the changelogs BEFORE updating that important software!
-
cepheus
Posts: 10
Joined: Thu Apr 06, 2017 12:54 pm

Re: [Config workaround] NS 5.0.4 stalls firefox on Postillon

Post by cepheus »

No, the window.name sanitiation is a false flag. That was from googlesyndication.com, while NoScript chokes on something from www-blogger-opensocial.googleusercontent.com. Here is a new log from today. Firefox 55 nightly from today, NoScript 5.0.4 with javascript allowed globally. Other settings default:

https://bpaste.net/show/fed48feb081f

No mention of window.name sanitation or anything XSS or Injection. Firefox still stalls very long. This is a different problem than in the threads about unwanted code fragments and the insane "window.name" code injection.
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: [Config workaround] NS 5.0.4 stalls firefox on Postillon

Post by barbaz »

In your latest log I notice this -

Code: Select all

GET 
http://www-blogger-opensocial.googleusercontent.com/gadgets/js/core.js [HTTP/1.1 200 OK 40ms]
req.getResponseHeader is not a function  Main.js:1639
That last line is a bug in 5.0.4 which is fixed in NoScript latest development build.

Does the hanging occur with NoScript latest development build?
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply