HP Drivers download page not working with XSS

[leo8888]

Trying to download a Laserjet Pro 400 m451 printer driver from HP's website here:

http://www8.hp.com/us/en/support-search ... type=s-002

SeaMonkey will freeze as soon as the link to select one of the three matches is clicked. Uninstalled NoScript and and was then able to download the drivers. Reinstalled NoScript and tested again and could not download the drivers. Unchecked both boxes under XSS options and tested again and was then able to download the drivers.

[therube]

First link sends me to

http://h20564.www2.hp.com/hpsc/swd/publ ... c=us&cc=us

English, Win7, gives me 3 choices; PCL5, PCL6, or PS

PCL5 initiates a download, upd-pcl5-x64.*.exe

So, not seeing any issue on my end?

[therube]

As a test, create a new, clean Profile, install only NoScript & see what happens?

---

(First link, " HP LaserJet Pro 400 color Printer M451dn" that is...)

Allowed:
www8-hp.com
hp.com

(Hmm. www8-hp.com. Made to look like. Possible that it is, but need not be...)

[barbaz]

viewtopic.php?f=7&t=20640
Try block bluekai with ABE, and then add an XSS exception for it (instructions in the linked thread).
Do *NOT* add XSS exception for bluekai without completely blocking *ALL* requests to it somehow!!! That would be very dangerous!!!!!!

[therube]

But why is bluekai even being allowed, at all?
Or even any other domains other then what I need to be able to download?


(Was trying to see if I could force the XSS, but as I went about allowing, ending up hanging, browser eating CPU. I'll try again...)

[In general their website seems to be dragging. And it happened again. Loaded the OP's page, Allow Global, selected M451dn, then the page to select Language & OS opened, with browser hanging at that point, using 50% CPU, 1 of 2 cores.]

Code: Select all

Hang report for C:\SeaMonkey\seamonkey.exe
Generated by using WhatIsHang on 07/15/2015 10:14:37 AM
Web site: http://www.nirsoft.net


Remarks:
* The program probably hangs because there is an infinite loop, very long loop, or recursive calls.


Strings found in the stack:
ZZZZZZZۧ

pkix_Build_VerifyCertificate
ZZZZZZZZZZZZZZZZZZZZ0Èl

ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZà•^
TypeNewScript_initializedType
T$<RPVÆD$<èþúÿÿƒÄ;Ãu<8\$(t.‹D$ ‹L$‹T$$ÿI;Ãu‹‰A;ÃtH^‰2À[ƒÄ$ÉA‰^2À[ƒÄ$ËT$<ƒøuI‰‹D$<Ç@‡ÿÿÿ8\$(t.‹D$ ‹L$‹


Modules found in the stack:
C:\SeaMonkey\nss3.dll , Mozilla Foundation , SeaMonkey, 
C:\SeaMonkey\xul.dll , Mozilla Foundation , SeaMonkey, 
C:\SeaMonkey\mozglue.dll , Mozilla Foundation , SeaMonkey, 
C:\SeaMonkey\icudt52.dll , The ICU Project , International Components for Unicode, ICU Data DLL

********************************************************************************
Snapshot number 1
********************************************************************************

ThreadID: 2476


Execute Address:
021EE1A6  xul.dll+0x161e1a6

Call Stack:
154EF800  000001D6


Stack Data:
0012D460  151ED000
0012D464  087440E0
0012D468  00000000
0012D46C  00000EE4
0012D470  151ED000
0012D474  0000006D
0012D478  00000BD7
0012D47C  151E3000
0012D480  087440E0
0012D484  154EF800
0012D488  00000400
0012D48C  154EFB80
0012D490  154EF858
0012D494  007440E0  nss3.dll+0x1440e0 ...

Also note that the OP's link is www8.hp.com & one of the (other) domains that turns up is www8-hp.com, just saying, as they're different.

[barbaz]

But why is bluekai even being allowed, at all?

I might be making invalid assumptions...
Is it bluekai that, when Allowed, triggers the XSS warning from the other thread, or is it that another site on hp is doing something that looks like XSSing bluekai?

Or even any other domains other then what I need to be able to download?

The OP might have allowed them to get another site to work.
Or they might have Allowed Scripts Globally - your description of what happens in that case matches what they describe...

[therube]

> bluekai

Irrespective of any XSS issue, why even allow it as it seems not to be needed?

> Or they might have Allowed Scripts Globally

Then just don't.
Try the two domains mentioned & see if that works (as it does for me).
Doesn't "fix" the problem, but certainly works around it by doing nothing further.

[Thrawn]

Firefox isn't hanging when I open the link, although it takes a few seconds to load.

I agree that it makes more sense to block bluekai. Actually, I'm blocking it further up the chain than that (ensighten.com).