Page 1 of 1

someone look at bank's code_see why check images not visible

Posted: Tue Aug 21, 2018 1:23 am
by scripteze
I'm sure the general question's been asked, but specifics of each site (bank) varies, for what 3rd parties are necessary.
Basically, I disabled Noscript 5.1.8.6 in addons manager or Fx 52.9.0esr, under Linux & *always* have this bank whitelisted in uBlocko.
It's worked fine since their last big site overhaul in July '17 - up till ~ 1 or 2 weeks ago.

Now, there are data - images of cleared checks - won't appear, no matter what. Bank's support say they are where they always were, and the source code (seems) to show where the check images should come from, but I'm no expert on this. Not sure if it's possible for NS to interfere when it's (totally) disabled, but hasn't been uninstalled & all traces completely cleaned.

I did not create a clean profile (yet) because the canceled checks were visible, a few wks ago. It'd be easier to find the lost ark than speaking directly to whom ever maintains the site .
Unfortunately, this forum won't let me post all of the code for the page where the check image should be appearing, even enclosed in code marks.
Said, "something has triggered my spam filters... try again." Or similar.

Don't see a way to upload files w/ the code, either. Is it possible?

I'm not positive, but I think Alkami may be involved w/ the check images. But NS & uBo were turned off, so they shouldn't be a factor.
It has a line of code to get the check images,
<script src="/javascripts/shared.scripts/transaction_get_check_image_by_url.min.js?636650198213440731" type="text/javascript"></script>

then that line shows this code behind it (if I click it):

$(document).on("click touchend","#ViewCheckByUriAction",function(){var r=navigator.userAgent?/nativeapp/.test(navigator.userAgent.toLowerCase()):!1,e=$("#ViewCheckByUriAction"),o=e.attr("data-url");$.ajax({type:"GET",url:o,success:function(e){e.Success?(hideCheckUrlError(),r?window.location.href=e.Url:window.open(e.Url,"_blank")):displayCheckUrlError(e.ErrorMessage)},error:function(r){displayCheckUrlError(r.ErrorMessage)}})});var displayCheckUrlError=function(r){var e=$("#GetCheckByUrlError");e.innerHTML=r,e.show()},hideCheckUrlError=function(){var r=$("#GetCheckByUrlError");r.innerHTML="",r.hide()};
//# sourceMappingURL=transaction_get_check_image_by_url.min.js.map

Thanks.

Re: someone look at bank's code_see why check images not vis

Posted: Tue Aug 21, 2018 1:42 am
by barbaz
So did disabling NoScript get it working or not?

If not, likely not a NoScript issue.

BTW, your UA string is really weird -

Code: Select all

Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/52.9.0
Did you deliberately set it this way?

Re: someone look at bank's code_see why check images not vis

Posted: Tue Aug 21, 2018 3:03 am
by therube
The bank have a name?

A weird one even for Pale Moon?

Re: someone look at bank's code_see why check images not vis

Posted: Tue Aug 21, 2018 3:28 am
by scripteze
Thanks, Barbasol & The Rube.
What's weird, even for Pale Moon? That's like weird in an amazing way, right? Everyone sees it's for Linux, right?

No, the bank likes to keep a low profile - they just call it "The Vault." Of course they have a name: Smart Financial Credit Union (large one). Site is Smartcu.org, until you log in;
then it's online.smartcu.org

@ barbaz: When you say, "Really weird," you mean it like saying, "that's dope," means, "that's great," ... right?
Why is it really weird? What isn't "right" about it?

You may be correct, but the user agent string doesn't mess other sites up, AFAIK.
The only thing I changed was the actual Fx version (updated it), because updating Fx in Linux, using partial.mar files (to get "full developer versions"), it doesn't update the user agent actual Fx version in about:config. So I enter what it is - 52.9.0. Other than the Fx true version, it's exactly like the Mozilla example, isn't it?
This is MINE: Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/52.9.0

These are some examples off "https://developer.mozilla.org/en-US/doc ... nt/Firefox" that says it was updated 1/24/2018, but could've been anything.
Linux desktop, i686 Mozilla/5.0 (X11; Linux i686; rv:10.0) Gecko/20100101 Firefox/10.0
Linux desktop, x86_64 Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0
Linux desktop, i686 running on x86_64 Mozilla/5.0 (X11; Linux i686 on x86_64; rv:10.0) Gecko/20100101 Firefox/10.0

No, disabling NS didn't make it work. That said, I've had a couple of instances in xx yrs, where leftover about:config entries messed something up.
I was hoping someone could take a look at the actual script - if they saw an obvious part where errors could occur in Firefox, if some setting isn't just right.

This line seems ? directly connected to retrieving the check images:
https://online.smartcu.org/javascripts/ ... 8213440731
(1) What does this line actually mean, " var isNativeApp = navigator.userAgent ? /nativeapp/.test(navigator.userAgent.toLowerCase()) : false;"

What is it checking for using: "isNativeApp = navigator.userAgent? Then, is it testing if the userAgent is lower case?
NOTE: I don't get errors or any feedback, after clicking where a miniature check used to display (there's no placeholder now). As said, NS & uBo were both disabled, but not "removed."
"network.http.enablePerElementReferrer" is = true. I even tried allowing 3rd party cookies on the site, which I've never had to do. Didn't help.

The actual code behind the above line (1) is:

Code: Select all

<script src="/javascripts/shared.scripts/transaction_get_check_image_by_url.min.js?636650198213440731" type="text/javascript"></script>

JS to get check_image by url.js
Alkami.Client.WebClient/javascripts/shared.scripts/transaction_get_check_image_by_url.js


$(document).on('click touchend', '#ViewCheckByUriAction', function () {
    var isNativeApp = navigator.userAgent ? /nativeapp/.test(navigator.userAgent.toLowerCase()) : false;

    var element = $("#ViewCheckByUriAction");
    var url = element.attr("data-url");
    $.ajax({
        type: "GET",
        url: url,
        success: function (response) {
            if (response.Success) {
                hideCheckUrlError();
                if (isNativeApp) {
                    window.location.href = response.Url;
                } else {
                    window.open(response.Url, '_blank');
                }
            } else {
                displayCheckUrlError(response.ErrorMessage);
            }
        },
        error: function (response) {
            displayCheckUrlError(response.ErrorMessage);
        }
    });
});

var displayCheckUrlError = function (errorMessage) {
    var errorDisplayElement = $("#GetCheckByUrlError");
    errorDisplayElement.innerHTML = errorMessage;
    errorDisplayElement.show();
}

var hideCheckUrlError = function () {
    var errorDisplayElement = $("#GetCheckByUrlError");
    errorDisplayElement.innerHTML = "";
    errorDisplayElement.hide();
}
What do you think it means by, "Alkami.Client.WebClient..."?

Re: someone look at bank's code_see why check images not vis

Posted: Tue Aug 21, 2018 4:44 am
by skriptimaahinen

Code: Select all

var isNativeApp = navigator.userAgent ? /nativeapp/.test(navigator.userAgent.toLowerCase()) : false;
is equivalent to

Code: Select all

var isNativeApp;
if (navigator.userAgent) {
  isNativeApp = /nativeapp/.test(navigator.userAgent.toLowerCase()) // test if navigator.userAgent (in lower case) contains "nativeapp"
} else {
  isNativeApp = false;
}
which would result in isNativeApp being false in your case. That should lead to

Code: Select all

window.open(response.Url, '_blank');
which opens a popup window.

Got popups blocked?

Re: someone look at bank's code_see why check images not vis

Posted: Tue Aug 21, 2018 3:01 pm
by barbaz
scripteze wrote:@ barbaz: When you say, "Really weird," you mean it like saying, "that's dope," means, "that's great," ... right?
Nope, I mean your UA string says you have a Gecko 10 browser pretending to be like Firefox 52.9.0. Gecko 10 was released in early 2012, i.e. more than 6 years ago. And current Firefox don't show the patch level in the version, only major & minor. These discrepancies will only make you fingerprintable and confuse sites.

If you really want to reveal your Firefox version in more detail than the default UA does, this is more likely to be Web-compatible -

Code: Select all

Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.9
scripteze wrote:No, disabling NS didn't make it work.
Thanks for clarifying.

Moving thread to Web Tech.
skriptimaahinen wrote:Got popups blocked?
Also, have you modified about:config > dom.popup_allowed_events ?

Re: someone look at bank's code_see why check images not vis

Posted: Sat Aug 25, 2018 7:41 am
by scripteze
Thanks everyone. Sorry for not getting back sooner. Not from lack of appreciation for help.

Don't have time tonite to go into deep details - tomorrow?
Yes, you're correct - that UA had a mistake. I'm not sure I did that, but maybe. I removed the override pref, cleared cache, cookies & restarted.
Sites can still read a full UA string (except w/ v52 instead of 10).

BUT... I don't understand the business about checking if nativeapp is in lower case? Where & when are they looking for lower case nativeapp?

The only UA pref naming Firefox - in lower case, is "general.useragent.compatMode.firefox" I'm not sure if it should be default - false, or not?
The full UA string that sites pick up from somewhere (bits & pieces, or a code?) is definitely not lower case: "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"

As stated below, v52.0 isn't the browser I use, nor the default profile associated w/ it. I don't know what that may do to some sites, or how to remedy the wrong version being presented to sites, other than uninstalling the distro branded Firefox.

Where are sites getting the UA from (now), after I deleted the incorrect UA override in the active browser & profile?
No about:config prefs - default or user set, exist w/ the exact UA data (next line) detected by several sites.
** After removing the UA override pref, sites now detect: "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0", even though it's v52.9.0 (esr).
Does Fx give that data from somewhere else besides about:config entries?

Or do some / most Linux distros give up that info? Oh - I just realized - the v52.0 is the distro's installed version, that I don't use & never updated - or went on the web.
But that default profile / about:config started w/ the distro's Fx v52.0, doesn't have the full UA, shown on line above, "** After removing..."
So sites are getting (maybe) a whole UA string & browser vers. from an inactive browser, instead of the one used to load their site? I'm not sure where else Linux might store the UA string.

Using Linux OS in the UA & a specific distro & version, isn't exactly blending in the crowd. Just not that many of those users out there.
I haven't changed the DOM pref mentioned - it's default. But no, I don't get blank popups on the bank site, trying to look at that specific data (cleared checks). The spot the thumbnail used to be is blank. As you see from the code, it should be there.

Re: someone look at bank's code_see why check images not vis

Posted: Sat Aug 25, 2018 3:13 pm
by barbaz
scripteze wrote:I don't understand the business about checking if nativeapp is in lower case? Where & when are they looking for lower case nativeapp?
They are looking for a UA string that contains "nativeapp" (not case-sensitive). Since Firefox's UA doesn't contain "nativeapp" or "NativeApp" or any other casing of that string, that code isn't relevant for you.
scripteze wrote:The only UA pref naming Firefox - in lower case, is "general.useragent.compatMode.firefox" I'm not sure if it should be default - false, or not?
It should be default to false on Firefox. Setting that to true is only useful for other Gecko-based apps, to have their UA string advertise that the app is like Firefox.
scripteze wrote:As stated below, v52.0 isn't the browser I use, nor the default profile associated w/ it. I don't know what that may do to some sites, or how to remedy the wrong version being presented to sites, other than uninstalling the distro branded Firefox.

Where are sites getting the UA from (now), after I deleted the incorrect UA override in the active browser & profile?
No about:config prefs - default or user set, exist w/ the exact UA data (next line) detected by several sites.
** After removing the UA override pref, sites now detect: "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0", even though it's v52.9.0 (esr).
Does Fx give that data from somewhere else besides about:config entries?
The default UA is constructed something like this -

Mozilla/5.0 (<tokens describing your OS>; rv:<Gecko major version>.0) Gecko/20100101 Firefox/<Firefox major version>.0

It has been this way for years now it doesn't reveal the minor version or patch level.

Re: someone look at bank's code_see why check images not vis

Posted: Sat Aug 25, 2018 8:27 pm
by scripteze
Thanks again. Uh... did a lot more checking. Now that I totally deleted the general.useragent.override pref, the UA that sites are picking up has changed. You were right - there was an error.
BTW, I kept getting a forum err msg, "Oops - something's triggered my spam filter. Check your ... and try again." Nothing worked. Dividing it into smaller parts, in separate posts may have fixed it. Someone can combine the 3 replies, if it's an issue.

This info answers some questions, on where sites are now getting a full useragent string, after deleting (all) similar useragent strings in about:config. It doesn't answer, "why don't images of cleared checks show - anymore - in my bank's online account?"

Re: skriptimaahinen : Was there a point being made about the bank's page source, on checking if the user agent being lower case?
Can you or anyone take a look at all the code I posted? Since:
1) tiny thumbnails used to display in each transaction involving a check (incl. ones sent by bill pay service). The thumbnails are no longer visible (nor a place holder). On the chance the thumbnails were there but hidden, I clicked in all the white space where they used to be (few wks ago, at most). No luck.

Can the code I posted about getting the check images be interpreted into layman's terms. If I can understand what (all) it's checking for, or expecting - including allowing 3rd parties to do certain things, it may trigger a memory of something that I, or Mozilla, or the bank changed - very recently. If more of the page's code is needed to understand what they're doing - when, & what happens if they do OR don't see x, y, z?

Maybe a cut to the chase Q & A is, "What would be the simplest, about:config UA strings that:
1) work well with nearly all sites, including my bank & financial sites? Never had much problem until now.

2) give out as little potential fingerprinting info as possible, but would be fairly common (blend in a bigger crowd)? The full UA string doesn't have to show Linux (Tor Browser shows ONE UA string, for all platforms - to make users appear alike.

It appears the UA that sites now detect, come from Firefox, if enter "about:" in the address bar:
On my desktop, "about:""about:" shows a 3 in. x 3 in. Firefox icon - logo, with the text: "Firefox; version 52.9.0. (the correct version in use);
Below the logo are 4 more lines; one is: "Build identifier: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0. The "about:" page shows 2 different Fx versions, but... that's how the latest Tor Browser "about:" page looks.

Showing the 2 versions on "about:" may be normal, but I don't understand why it's done. Why in (most) about:config UA or override strings, is the correct version not used?
Using Firefox 52.0, instead of 52.9.0?

Re: someone look at bank's code_see why check images not vis

Posted: Sat Aug 25, 2018 8:27 pm
by scripteze
Sites may now be getting the full UA string from the "about:" page, or "about:buildconfig." Where ever that data is stored. It's definitely no longer in about:config, for time being.

The Tor Browser "general.useragent.override" value, for ALL platforms is: "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" I'm not sure Win 7 is still the most common.

Clarify: the unused Fx 52.0 is NOT shown as default browser, under Preferences_General. The profile named x.default, is NOT designated the default profile in profiles.ini.
The active Fx 52.9.0 esr IS shown as "the default browser," and the profile used automatically with v52.9.0, IS the default profile - in profiles.ini.

Clearly, Linux stores or generates a UA string; or creates the string (showing v52.0) when called, such as entering "about:" in the URL bar of v52.9.0.
A general hard drive search shows some files (generally scripts) that seem related to useragent - somehow.

The only "useragent" prefs left in the active, daily use profile are:

Code: Select all

devtools.devices.url_cache;{
  "TYPES": [ "phones", "tablets", "laptops", "televisions", "consoles", "watches" ],
  "phones": [
(I left out long list of devices & sizes
devtools.inspector.showUserAgentStyles;true
dom.push.userAgentID; (blank value)
general.useragent.compatMode.firefox;false
general.useragent.locale;en-US
general.useragent.site_specific_overrides;true
Re: the dom.popup_allowed_events - it shows default - string: "change click dblclick mouseup notificationclick reset submit touchend"
Those are the actions that allow dom popups (assume the check images are dom)?
But there must be 50 - 100 other dom prefs in about:config. Most are set @ default, but that doesn't mean a default value will work in specific cases. Or maybe a dom pref is missing, that's needed here.

Don't have time tonite to go into deep details - tomorrow?
Yes, you're correct - that UA had a mistake. I'm not sure I did that, but maybe. I removed the override pref, cleared cache, cookies & restarted.
Sites can still read a full UA string – now with v52.

BUT... I don't understand the business about checking if nativeapp is in lower case? Are they looking for lower case nativeapp – Firefox, in a useragent string?
Because most browsers in useragent strings aren’t all lower case.

Re: someone look at bank's code_see why check images not vis

Posted: Sat Aug 25, 2018 10:10 pm
by barbaz
Unless they have an obvious JS error or something, I don't think it's possible for someone to diagnose a problem like this based on out-of-context code snippets. Since you don't have it working on any setup of your own, a more detailed analysis probably requires someone who has a smartcu account.

As for UA strings, if you don't want to reveal that you're on Linux, you could try pretending to be Firefox 52.0 64-bit on Windows 10 64-bit -

Code: Select all

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0

Re: someone look at bank's code_see why check images not vis

Posted: Wed Aug 29, 2018 8:56 pm
by scripteze
I'd say there are obvious JS source map errors. I used unmodified Firefox 61.0.1 - Linux, with a useragent for Firefox under Win 7 (6.1).
It seemed like there were several changes in Fx developer tools between v52.9.0esr and v61.0.1. Fx 61 developer tools showed more error information, with more clarity on certain errors than the older developer tools.

Here are what may be the most important errors, shown by Fx 61, after logging in / loading the bank site:

Code: Select all

01:16:03.488 Source map error: request failed with status 404
Resource URL: https://online.smartcu.org/javascripts/vendor.bundles/knockout.bundle/knockout.bundle.min.js?636650198060303902
Source Map URL: knockout.validation.min.js.map[Learn More]
01:16:04.880 Source map error: request failed with status 404
Resource URL: https://online.smartcu.org/lib/iris/popper.min.js?636650198965491813
Source Map URL: popper.min.js.map[Learn More]
01:16:05.166 Source map error: request failed with status 404
Resource URL: https://online.smartcu.org/javascripts/vendor.plugins/mustache.min.js?636324410782498504
Source Map URL: mustache.min.js.map[Learn More]

The "learn more" link was Mozilla site:
https://developer.mozilla.org/en-US/docs/Tools/Debugger/Source_map_errors?utm_source=mozilla&utm_medium=firefox-console-errors&utm_campaign=default
\
For each of those 404 / Not Found source map errors, the console linked to the same developer.mozilla site, explaining source map errors.
Each of the errors are a bit different, though all relating to different? source maps, or possibly different types of errors. The Mozilla source map errors article covered basics of several source map errors & possible causes, etc.

I'll send a copy to the bank's "IT support" but I'm almost positive this code isn't anything their own IT dept. wrote, nor will understand. It may not even be customized strictly for their bank.
If so, I may never get a response from anyone, much less a solution.

For grins, I also used a Windows 10 Edge useragent string in unmodified Fx 61, just to see. Using the Win 10 / Edge user agent in Fx 61 w/ no addons installed, it still displayed the pages, but still no check images & I don't think the detailed 404 errors for specific minified source maps appeared in Fx 61. Not unexpectedly, there were lots of "invalid.....declaration dropped" and "unknown this or that", but amazingly most of the data was in the right place.