InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

[Fixed] Guardian page causes 100% CPU Usage, UI Lockup

https://forums.informaction.com/viewtopic.php?t=24976

Page 1 of 1

[Fixed] Guardian page causes 100% CPU Usage, UI Lockup

Posted: Mon Jun 25, 2018 4:57 am
by KonomiKitten
The following results in Firefox UI becoming unresponsive and 100% CPU usage for said tab, disabling NoScript makes Firefox behave as expected.

Page:

Code: Select all

https://www.theguardian.com/public-leaders-network/2014/nov/06/ten-public-transport-myths-busted
Firefox Version:

Code: Select all

60.0.2
Firefox Agent:

Code: Select all

Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
NoScript Version:

Code: Select all

10.1.8.2
NoScript Config:

Code: Select all

{
  "policy": {
    "DEFAULT": {
      "capabilities": [
        "frame",
        "fetch",
        "other",
        "script",
        "media",
        "font"
      ],
      "temp": false
    },
    "TRUSTED": {
      "capabilities": [
        "script",
        "object",
        "media",
        "frame",
        "font",
        "webgl",
        "fetch",
        "other"
      ],
      "temp": false
    },
    "UNTRUSTED": {
      "capabilities": [],
      "temp": false
    },
    "sites": {
      "trusted": [
        "§:addons.mozilla.org",
        "§:afx.ms",
        "§:ajax.aspnetcdn.com",
        "§:ajax.googleapis.com",
        "§:bootstrapcdn.com",
        "§:code.jquery.com",
        "§:firstdata.com",
        "§:firstdata.lv",
        "§:gfx.ms",
        "§:google.com",
        "§:googlevideo.com",
        "§:gstatic.com",
        "§:hotmail.com",
        "§:live.com",
        "§:live.net",
        "§:maps.googleapis.com",
        "§:mozilla.net",
        "§:netflix.com",
        "§:nflxext.com",
        "§:nflximg.com",
        "§:nflxvideo.net",
        "§:noscript.net",
        "§:outlook.com",
        "§:passport.com",
        "§:passport.net",
        "§:passportimages.com",
        "§:paypal.com",
        "§:paypalobjects.com",
        "§:securecode.com",
        "§:securesuite.net",
        "§:sfx.ms",
        "§:tinymce.cachefly.net",
        "§:wlxrs.com",
        "§:yahoo.com",
        "§:yahooapis.com",
        "§:yimg.com",
        "§:youtube.com",
        "§:ytimg.com"
      ],
      "untrusted": [],
      "custom": {}
    },
    "enforced": true,
    "autoAllowTop": false
  },
  "local": {
    "debug": false,
    "showCtxMenuItem": false,
    "showCountBadge": true,
    "showFullAddresses": true,
    "storage": "local",
    "uuid": "f0234288-0dab-41d2-aad7-98850488202d"
  },
  "sync": {
    "global": false,
    "xss": true,
    "clearclick": true,
    "storage": "sync"
  },
  "xssUserChoices": {}
}

Re: Guardian page causes 100% CPU Usage, UI Lockup

Posted: Mon Jun 25, 2018 7:37 am
by skriptimaahinen
Can confirm the spike in cpu and ram usage (can cause whole OS to hang for a while) and crashing of Firefox.

The culprit appears to be script from connect.facebook.net, so avoid allowing that domain until fix is found.

For the facebook.net to appear in the popup, you need to enable:

theguardian.com
guim.co.uk
krxd.net

Re: Guardian page causes 100% CPU Usage, UI Lockup

Posted: Thu Jun 28, 2018 9:13 am
by skriptimaahinen
Update:

Turns out the problem is in the XSS filter. So if you absolutely need to be tracked by Facebook, you could disable XSS in the Options and then allow facebook.net. ;)

@Giorgio:

If you have not yet checked on this: The problematic call is to https://www.facebook.com/tr/, which returns with somewhat largish payload (requestBody.formData.cd[OpenGraph]: about 80k chars), that XSS.InjectionChecker.reduceJSON promptly chokes on. I'll let you figure this out. :)

Re: Guardian page causes 100% CPU Usage, UI Lockup

Posted: Thu Jun 28, 2018 9:43 am
by Giorgio Maone
skriptimaahinen wrote:Update:

Turns out the problem is in the XSS filter. So if you absolutely need to be tracked by Facebook, you could disable XSS in the Options and then allow facebook.net. ;)

@Giorgio:

If you have not yet checked on this: The problematic call is to https://www.facebook.com/tr/, which returns with somewhat largish payload (requestBody.formData.cd[OpenGraph]: about 80k chars), that XSS.InjectionChecker.reduceJSON promptly chokes on. I'll let you figure this out. :)
Thank you, looking into it.

Re: Guardian page causes 100% CPU Usage, UI Lockup

Posted: Fri Jul 06, 2018 2:48 pm
by KonomiKitten
Sorry to be bothering, but is there any progress on this bug?

Re: Guardian page causes 100% CPU Usage, UI Lockup

Posted: Tue Jul 10, 2018 3:28 am
by Thrawn
If you need a workaround while waiting, you could block it with ABE:

Code: Select all

Site .facebook.com .facebook.net
Deny from .theguardian.com
This should prevent the XSS filter from choking, but will also kill off the Facebook Connect functionality (on that one site), if that matters to you.

Re: Guardian page causes 100% CPU Usage, UI Lockup

Posted: Tue Jul 10, 2018 4:02 am
by therube
NoScript 10 doesn't do ABE (that I see).

NoScript 5, sure.

Re: Guardian page causes 100% CPU Usage, UI Lockup

Posted: Thu Jul 12, 2018 9:51 pm
by Giorgio Maone
Fixed in latest development build (backported to "Classic" 5.1.8.7rc3, too):
v 10.1.8.3rc11
=============================================================
x [XSS] Fixed InjectionChecker choking at some big JSON
payloads sents as POST form data
x Fixed meta-refresh emulation confused by quoted URLs
x Fixed regression - popup first row not showing the active
preset initially
x [ESR60] Fixed some edge cases still breaking feeds

Re: Guardian page causes 100% CPU Usage, UI Lockup

Posted: Thu Jul 19, 2018 2:37 pm
by KonomiKitten
Fixed thank you!
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited