InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

NS 5.0.4 & later - XSS filter stalls firefox on Postillon

https://forums.informaction.com/viewtopic.php?t=22828

Page 1 of 2

NS 5.0.4 & later - XSS filter stalls firefox on Postillon

Posted: Mon May 15, 2017 10:38 am
by cepheus
Hello,

since version 5.0.4, firefox hangs after opening the following url: http://www.der-postillon.com/. The whole window seems unresponsive, even when e10s is enabled. I tried several combinations of firefox 52.1 and current nightly (55.0a1), with e10s enabled or disabled, on linux and windows. Every time with NoScript as the only addon. It does not happen without NoScript. If you wait long enough (several minutes), the process eventually returns, but this is an unacceptable long halt.

Current nightly, NoScript default settings, yields this webbrowser console log:

Code: Select all

On Startpage.  www.der-postillon.com:3242
req.getResponseHeader is not a function  Main.js:1639
req.getResponseHeader is not a function  Main.js:1639
Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user’s experience. For more help http://xhr.spec.whatwg.org/  ifr:233:8
req.getResponseHeader is not a function  Main.js:1639
[NoScript InjectionChecker] JavaScript Injection in b;a.google_image_requests.push(c)};var
(function anonymous(
) {
b;a.google_image_requests.push(c) /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS]: sanitized window.name, "1-0-8;8345;<!doctype html><html><head><script>(function(){window.rumTick=function(c){var b=window,a=b.performance;c&&a&&a.now&&(a=a.now(),b.google_js_reporting_queue=b.google_js_reporting_queue||[],b.google_js_reporting_queue.push({label:c,type:4,value:a,uniqueId:"rum."+Math.random()}))};}).call(this);rumTick('fb');</script><script>var google_casm=["",0,null,0,0];</script></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0"><script>(function(){var g=this,l=function(a,b){var c=a.split("."),d=g;c[0]in d||!d.execScript||d.execScript("var "+c[0]);for(var e;c.length&&(e=c.shift());)c.length||void 0===b?d=d[e]?d[e]:d[e]={}:d[e]=b},m=function(a,b,c){return a.call.apply(a.bind,arguments)},n=function(a,b,c){if(!a)throw Error();if(2<arguments.length){var d=Array.prototype.slice.call(arguments,2);return function(){var c=Array.prototype.slice.call(arguments);Array.prototype.unshift.apply(c,d);return a.apply(b,c)}}return function(){retur
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html
req.getResponseHeader is not a function  Main.js:1639
req.getResponseHeader is not a function  Main.js:1639
initOnebyOne  postillon.js:100
TypeError: gadgets.window.setTitle is not a function  ifr:45:9
initTwobyTwo  postillon.js:124
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
req.getResponseHeader is not a function  Main.js:1639
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://googleads.g.doubleclick.net/pagead/id. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).  (unknown)
[NoScript InjectionChecker] JavaScript Injection in b;a.google_image_requests.push(c)};var
(function anonymous(
) {
b;a.google_image_requests.push(c) /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS]: sanitized window.name, "1-0-8;6195;<html>
<head>
</head><body><script src="https://tpc.googlesyndication.com/safeframe/1-0-8/js/ext.js"></script><script>(function(){var g=this,l=function(a,b){var c=a.split("."),d=g;c[0]in d||!d.execScript||d.execScript("var "+c[0]);for(var e;c.length&&(e=c.shift());)c.length||void 0===b?d=d[e]?d[e]:d[e]={}:d[e]=b},m=function(a,b,c){return a.call.apply(a.bind,arguments)},n=function(a,b,c){if(!a)throw Error();if(2<arguments.length){var d=Array.prototype.slice.call(arguments,2);return function(){var c=Array.prototype.slice.call(arguments);Array.prototype.unshift.apply(c,d);return a.apply(b,c)}}return function(){return a.apply(b,arguments)}},p=function(a,b,c){p=Function.prototype.bind&&-1!=Function.prototype.bind.toString().indexOf("native code")?m:n;return p.apply(null,arguments)},q=Date.now||function(){return+new Date};var r=document,s=window;var t=function(a,b){for(var c in a)Object.prototype.hasOwnProperty.call(a,c)&&b.call(null,a[c],c,
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html?n=1
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html?n=1
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
req.getResponseHeader is not a function  Main.js:1639
start workaround for skyscraper-sticky  www.der-postillon.com:1648
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
For comparison, their englisch website loads reasonably fast (www.the-postillon.com). Log from there:

Code: Select all

Key event not available on some keyboard layouts: key=“r” modifiers=“accel,alt” id=“key_toggleReaderMode”  browser.xul
Key event not available on some keyboard layouts: key=“i” modifiers=“accel,alt,shift” id=“key_browserToolbox”  browser.xul
Using //@ to indicate sourceMappingURL pragmas is deprecated. Use //# instead  jquery.min.js:1
On Startpage.  www.the-postillon.com:2659
req.getResponseHeader is not a function  Main.js:1639
XML Parsing Error: syntax error
Location: http://www.the-postillon.com/
Line Number 1, Column 1:  www.the-postillon.com:1:1
req.getResponseHeader is not a function  Main.js:1639
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
req.getResponseHeader is not a function  Main.js:1639
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
req.getResponseHeader is not a function  Main.js:1639
"js complete: https://s0.2mdn.net/creatives/assets/1968018/DR2_Multi-Football_v01_160x600.js"  main.js:1
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
start workaround for skyscraper-sticky  www.the-postillon.com:1609
Use of getPreventDefault() is deprecated.  Use defaultPrevented instead.  jquery.min.js:5:17101
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
Thank you

Re: NoScript 5.0.4 stalls firefox on www.der-postillon.com

Posted: Mon May 15, 2017 2:18 pm
by barbaz
Yep. See these threads - search.php?keywords=safeframe&terms=all&sr=topics

Re: NoScript 5.0.4 stalls firefox on www.der-postillon.com

Posted: Mon May 15, 2017 2:57 pm
by cepheus
I think the "safeframe" in the log is a red herring: My problem is not markup or script source code on the website (i don't see any), my problem is an unresponsive firefox process. All other websites from the "safeframe" search result threads load really fast.

With www.der-postillon.com - even blocking googlesydication.com completely with ABE does not solve the "hang" problem. Like:

Code: Select all

Site .googlesyndication.com
Accept from .googlesyndication.com
Deny

Re: NoScript 5.0.4 stalls firefox on www.der-postillon.com

Posted: Mon May 15, 2017 3:09 pm
by cepheus
New data: The "hang" goes away with "Sanitize cross-site suspicious requests" off.

However, I would like to keep that option on. The hang does also occur with the following insane ABE rule:

Code: Select all

Site .der-postillon.com
Accept
Site *
Deny
So it seems that XSS protection is processed before ABE. And it is processed in the main thread. And in this one case, it takes so long that the browser is unusable for several minutes. Could the processing order be changed? If ABE filters the domain, the XSS protection should never be called.

Re: NoScript 5.0.4 stalls firefox on www.der-postillon.com

Posted: Mon May 15, 2017 3:44 pm
by barbaz
Try this ABE rule -

Code: Select all

Site tpc.googlesyndication.com
Deny
If that alone doesn't do it, add this XSS exception -

Code: Select all

^https?://tpc\.googlesyndication\.com[/:]
It's safe because you're blocking the whole site with ABE anyway, so it doesn't matter what the XSS filter does or doesn't do.

Re: NoScript 5.0.4 stalls firefox on www.der-postillon.com

Posted: Mon May 15, 2017 4:04 pm
by therube
(Confirmed regression between noscript-5.0.3rc5.xpi & noscript-5.0.4rc3.xpi, Win XP, FF 52.)

[Config workaround] NoScript 5.0.4 stalls firefox on Postill

Posted: Tue May 16, 2017 8:55 am
by cepheus
barbaz wrote:Try this ABE rule -
...tpc.googlesyndication.com
googlesyndication.com is not the culprit, but I found it: blogger-opensocial.googleusercontent.com. According to umatrix, two frames from there are in the main website.

I can get rid of the hang (with XSS protection enabled) with the following rules:

XSS exception:

Code: Select all

^https?://www\-blogger\-opensocial\.googleusercontent\.com[/:]
ABE rule to keep privacy:

Code: Select all

Site .googleusercontent.com
Accept from .google.com .googleusercontent.com
Deny INC

NoScript cause "firefox not responding" on some sites

Posted: Wed May 24, 2017 9:16 pm
by baltasar4711
Recent changes to NoScript causes to freez firefox on some site e.g. "http://www.der-postillon.com/" and man others. Sometime firefox comes back after some time ( 10 - 60 Seconds). Most of the time only a "hard close" helps.

I was trying to monitor the problem with onboard tools: Showing long time delays without a cause. "Runtime analyse" show many "small GC" with cause "nursery full".

Firefox: 53.0.3 (32 bit) on windows 7 64bit
NoScript 5.0.4

Hope you can fix this great Plugin!

Re: [Config workaround] NS 5.0.4 stalls firefox on Postillon

Posted: Wed May 24, 2017 10:09 pm
by barbaz
Threads merged.

Re: [Config workaround] NS 5.0.4 stalls firefox on Postillon

Posted: Thu May 25, 2017 9:50 am
by cepheus
Recent changes to NoScript causes to freez firefox on some site e.g. "http://www.der-postillon.com/" and man others.
Workarounds: See above, XSS exception for www-blogger-opensocial.googleusercontent.com (or other 3rd party sites), or disallow IFrames.

Re: [Config workaround] NS 5.0.4 stalls firefox on Postillon

Posted: Thu May 25, 2017 12:58 pm
by barbaz
And if you do add an XSS exception, make sure to completely block the site(s) allowed by the exception. This is actual XSS, it's not safe to just allow.

Re: [Config workaround] NS 5.0.4 stalls firefox on Postillon

Posted: Fri May 26, 2017 10:52 am
by cepheus
barbaz wrote:And if you do add an XSS exception, make sure to completely block the site(s) allowed by the exception. This is actual XSS, it's not safe to just allow.
Yes it is wise to block everything 3rd-part google* in ABE, be it just for privacy reasons. However, to be clear: I don't think that googleusercontent.com does any fishy XSS, but NoScript just chokes while calculating a decision. When I wait long enough, firefox responds again. There is no XSS warning. This can take from 1 to 10 minutes. This is a bug in NoScript 5.0.4, or a combination of NoScript and firefox bugs.

Re: [Config workaround] NS 5.0.4 stalls firefox on Postillon

Posted: Fri May 26, 2017 3:03 pm
by barbaz
cepheus wrote: I don't think that googleusercontent.com does any fishy XSS,
When dealing with security threats, we need facts, not just individuals' thoughts.

These are the facts -
cepheus wrote:

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in b;a.google_image_requests.push(c)};var
(function anonymous(
) {
b;a.google_image_requests.push(c) /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS]: sanitized window.name, "1-0-8;8345;<!doctype html><html><head><script>(function(){window.rumTick=function(c){var b=window,a=b.performance;c&&a&&a.now&&(a=a.now(),b.google_js_reporting_queue=b.google_js_reporting_queue||[],b.google_js_reporting_queue.push({label:c,type:4,value:a,uniqueId:"rum."+Math.random()}))};}).call(this);rumTick('fb');</script><script>var google_casm=["",0,null,0,0];</script></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0"><script>(function(){var g=this,l=function(a,b){var c=a.split("."),d=g;c[0]in d||!d.execScript||d.execScript("var "+c[0]);for(var e;c.length&&(e=c.shift());)c.length||void 0===b?d=d[e]?d[e]:d[e]={}:d[e]=b},m=function(a,b,c){return a.call.apply(a.bind,arguments)},n=function(a,b,c){if(!a)throw Error();if(2<arguments.length){var d=Array.prototype.slice.call(arguments,2);return function(){var c=Array.prototype.slice.call(arguments);Array.prototype.unshift.apply(c,d);return a.apply(b,c)}}return function(){retur
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html
cepheus wrote:

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in b;a.google_image_requests.push(c)};var
(function anonymous(
) {
b;a.google_image_requests.push(c) /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS]: sanitized window.name, "1-0-8;6195;<html>
<head>
</head><body><script src="https://tpc.googlesyndication.com/safeframe/1-0-8/js/ext.js"></script><script>(function(){var g=this,l=function(a,b){var c=a.split("."),d=g;c[0]in d||!d.execScript||d.execScript("var "+c[0]);for(var e;c.length&&(e=c.shift());)c.length||void 0===b?d=d[e]?d[e]:d[e]={}:d[e]=b},m=function(a,b,c){return a.call.apply(a.bind,arguments)},n=function(a,b,c){if(!a)throw Error();if(2<arguments.length){var d=Array.prototype.slice.call(arguments,2);return function(){var c=Array.prototype.slice.call(arguments);Array.prototype.unshift.apply(c,d);return a.apply(b,c)}}return function(){return a.apply(b,arguments)}},p=function(a,b,c){p=Function.prototype.bind&&-1!=Function.prototype.bind.toString().indexOf("native code")?m:n;return p.apply(null,arguments)},q=Date.now||function(){return+new Date};var r=document,s=window;var t=function(a,b){for(var c in a)Object.prototype.hasOwnProperty.call(a,c)&&b.call(null,a[c],c,
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html?n=1
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html?n=1
Passing HTML code around in window.name, especially when said code contains JavaScript, is just begging, screaming hysterically, 'Please, *please* XSS me!!!!! I'm vulnerable to XSS!!!! Please, XSS me!!!!!! XSS me!!!!!!!!!!'

No sane person would want that in their browser.

Re: [Config workaround] NS 5.0.4 stalls firefox on Postillon

Posted: Fri May 26, 2017 3:34 pm
by cepheus
No, the window.name sanitiation is a false flag. That was from googlesyndication.com, while NoScript chokes on something from www-blogger-opensocial.googleusercontent.com. Here is a new log from today. Firefox 55 nightly from today, NoScript 5.0.4 with javascript allowed globally. Other settings default:

https://bpaste.net/show/fed48feb081f

No mention of window.name sanitation or anything XSS or Injection. Firefox still stalls very long. This is a different problem than in the threads about unwanted code fragments and the insane "window.name" code injection.

Re: [Config workaround] NS 5.0.4 stalls firefox on Postillon

Posted: Fri May 26, 2017 4:08 pm
by barbaz
In your latest log I notice this -

Code: Select all

GET 
http://www-blogger-opensocial.googleusercontent.com/gadgets/js/core.js [HTTP/1.1 200 OK 40ms]
req.getResponseHeader is not a function  Main.js:1639
That last line is a bug in 5.0.4 which is fixed in NoScript latest development build.

Does the hanging occur with NoScript latest development build?
All times are UTC
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited