No-script changes. This are errors or was intentional?

[marceloalm]

Hi all, I have youtube and another sites like that blocked in no-script, but since update 2.9.5 I am getting a download prompt asking me to download video url in any site that have a youtube video embed. This was intent or is a error?

Second problem: Brazilians banks use a "tool" (browser plugin) to allow customers to login into bank account website. This 'tool' are used to track hardware information+ check if the bank url is real and etc to ensure the user is the same and allowed to access bank website...
Since update 2.9.5.1, if no-script plugin are active (with allow javascript) the bank websites say you don't have security tool installed, so allow javascript option don't work like was before, plugin must be complete de-activated and browser restart to be able to connect in bank websites.
Can you guys let me know if I can change something to use no-script with bank website without complete de-active plugin every time?

Regards

Marcelo

[barbaz]

Hi all, I have youtube and another sites like that blocked in no-script, but since update 2.9.5 I am getting a download prompt asking me to download video url in any site that have a youtube video embed. This was intent or is a error?

Error, but NoScript might not be the culprit. Could you please post your list of extensions?

Second problem: Brazilians banks use a "tool" (browser plugin) to allow customers to login into bank account website. This 'tool' are used to track hardware information+ check if the bank url is real and etc to ensure the user is the same and allowed to access bank website...
Since update 2.9.5.1, if no-script plugin are active (with allow javascript) the bank websites say you don't have security tool installed, so allow javascript option don't work like was before, plugin must be complete de-activated and browser restart to be able to connect in bank websites.
Can you guys let me know if I can change something to use no-script with bank website without complete de-active plugin every time?

Does NoScript latest development build help at all?

If not:
- Does it work in a new, clean profile with only NoScript and only this one plugin?
- Do you notice any differences in the NoScript menu as compared to 2.9.0.14 where this works for you?
- When this issue occurs, do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)

In case you need to double-check what happens with NoScript 2.9.0.14, you can get old NoScript @
https://addons.mozilla.org/addon/noscript/versions
*or*
https://noscript.net/feed?c=100&t=a

[marceloalm]

List of extentions: Live http headers and no-script

I try with devel version 2.9.5.2rc2 and the bank tool error persist.

Console log:

Code: Select all

 GET 
https://aapj.bb.com.br/aapj/includes/js/jquery.contextmenu.js [HTTP/1.1 200 OK 0 ms]
Using //@ to indicate sourceMappingURL pragmas is deprecated. Use //# instead[Learn More]  jquery-1.10.2.min.js:1
[ABE] < LOCAL> Deny on {GET https://127.0.0.1:30900/ <<< https://aapj.bb.com.br/aapj/loginmpe.bb?identificacaoUsuario=J7188651 - 1}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
GET 
XHR 
https://aapj.bb.com.br/aapj/includes/js/iptCheck.js [HTTP/1.1 200 OK 141 ms]
O Firefox não conseguiu estabelecer uma conexão com o servidor wss://127.0.0.1:30900/.  warsaw-agent.js:14:216
GET 
https://aapj.bb.com.br/aapj/includes/js/gbPlugin/warsaw-swfobject.js [HTTP/1.1 200 OK 0 ms]
GET 
https://www.google-analytics.com/analytics.js [HTTP/2.0 200 OK 0 ms]
GET 
https://aapj.bb.com.br/aapj/includes/js/gbPlugin/warsaw-web_socket.js [HTTP/1.1 200 OK 0 ms]
GET 
https://www.google-analytics.com/plugins/ua/linkid.js [HTTP/2.0 200 OK 0 ms]
GET 
https://www.google-analytics.com/collect [HTTP/2.0 200 OK 117 ms]
POST 
XHR 
https://aapj.bb.com.br/aapj/loginmpe.bb [HTTP/1.1 200 OK 302 ms]
window.controllers não deve mais ser usado. Não utilize para detecção do UA.  loginmpe.bb

I try post warsaw-agent.js content but forum reply me with a anti-spam error.
But disable ABE filter make bank websites work again.

Thank you for your support.

[barbaz]

It would appear that the bank tool is supposed to be blocked.
Fix: NoScript Options > Advanced > ABE > SYSTEM, add *at the very top*

Code: Select all

Site https://127.0.0.1:*
Accept from https://aapj.bb.com.br/*

[gwarah]

when I try to login, site says the system has not warsaw installed but It has. Tried to access on chromium and firefox with noScript disabled and the access was ok. Try to access Banco do Brasil Internet Banking (another bank that uses warsaw) by firefox and works fine.

NoScript sends no new notifications of site/script blocked.

My (up to date until now) data:

- Ubuntu 16.04 (64 bits)
- firefox 50.0.2
- noScript 2.9.5.2
- warsaw 1.3.0
- java -version
java version "1.8.0_111"
Java(TM) SE Runtime Environment (build 1.8.0_111-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.111-b14, mixed mode)

Console Log after attempt to access:

Code: Select all

'mozHidden' and 'mozVisibilityState' are deprecated.  Please use the unprefixed 'hidden' and 'visibilityState' instead. show_ads_impl.js:145:903
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
'mozHidden' and 'mozVisibilityState' are deprecated.  Please use the unprefixed 'hidden' and 'visibilityState' instead.  show_ads_impl.js:145:903
'mozHidden' and 'mozVisibilityState' are deprecated.  Please use the unprefixed 'hidden' and 'visibilityState' instead.  ads:1:1040
'mozHidden' and 'mozVisibilityState' are deprecated.  Please use the unprefixed 'hidden' and 'visibilityState' instead.  show_ads_impl.js:145:903
'mozHidden' and 'mozVisibilityState' are deprecated.  Please use the unprefixed 'hidden' and 'visibilityState' instead.  ads:1:1040
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
about:blank : Unable to run script because scripts are blocked internally.  (unknown)
TelemetryStopwatch: requesting elapsed time for nonexisting stopwatch. Histogram: "PLACES_AUTOCOMPLETE_6_FIRST_RESULTS_TIME_MS", key: "null"  TelemetryStopwatch.jsm:297
uncaught exception: NoScript aborted redirection to https://static.ads-twitter.com/oct.js  (unknown)
ew.caixa.gov.br:443 uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.

Error code: <a id="errorCode" title="SEC_ERROR_UNKNOWN_ISSUER">SEC_ERROR_UNKNOWN_ISSUER</a>
 (unknown)
Warning: attempting to write 46598 bytes to preference capability.policy.maonoscript.sites. This is bad for general performance and memory usage. Such an amount of data should rather be written to an external file. This preference will not be sent to any content processes.
[ABE] < LOCAL> Deny on {GET https://127.0.0.1:30900/ <<< https://127.0.0.1:30900/, https://internetbanking.caixa.gov.br/sinbc/#!nb/login - 1}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
unreachable code after return statement[Learn More]  funcoes.js:2693:1
A declaração da codificação de caracteres do documento HTML não foi encontrada ao verificar os primeiros 1024 bytes do arquivo. Ao ser aberta em um navegador configurado de forma diferente, a página será automaticamente recarregada. A declaração da codificação precisa ser movida para os primeiros 1024 bytes do arquivo.  concordo.htm:20
Using //@ to indicate sourceMappingURL pragmas is deprecated. Use //# instead[Learn More]  warsaw-zlib.js:39:661
O método getPreventDefault() não deve mais ser usado. No lugar, use defaultPrevented.  
 

[Giorgio Maone]

OK, looks like the port doesn't change (always 30900), but of course the origin site of banks trying to use this "Warsaw" agent vary.
I think this deserves its own FAQ.

[barbaz]

Giorgio, is it really safe to allow every HTTPS site under the sun to access something like this?
Why not put in a placeholder which the user replaces with their banking site?

Code: Select all

# Warsaw Agent exception.
Site https://127.0.0.1:30900
Accept from https://<your_banking_site_domain>/*

[Giorgio Maone]

Giorgio, is it really safe to allow every HTTPS site under the sun to access something like this?
Why not put in a placeholder which the user replaces with their banking site?

Code: Select all

# Warsaw Agent exception.
Site https://127.0.0.1:30900
Accept from https://<your_banking_site_domain>/*

Unfortunately there's no guarantee the main, visible domain of the banking site is the same originating the request to localhost.
https://aapj.bb.com.br/ for instance does not seem to be a public website at all, therefore we should also require user to dig into their logs search for the right <banking_site_domain>.

[barbaz]

Ok I see the problem now. Thanks.

[GµårÐïåñ]

Ok I see the problem now. Thanks.

I think he is going for a wider ranging rule to include the most fixes. Anyone who has enough knowledge can tighten it up a bit for their own purposes but the wider range won't hurt them, so it will be more than they need perhaps but will be fine. As some point you have to rely on companion technology to pull their weight in determining safe or not.

[gwarah]

OK, looks like the port doesn't change (always 30900), but of course the origin site of banks trying to use this "Warsaw" agent vary.
I think this deserves its own FAQ.

Doesn't work, after login attempt, site still redirects to security issues page. Firefox console outputs these lines:

Code: Select all

facebook Pixel Error: Duplicate Pixel ID: 906773689444391  fbevents.js:9:1613
1  home.js:575:5
formatação incorreta  topFrame.js:1:1
formatação incorreta  Clipper.js:1:1
formatação incorreta  ContentPreview.js:1:1
formatação incorreta  Coordinator.js:1:1
formatação incorreta  GlobalUtils.js:1:1
formatação incorreta  Promotion.js:1:1
formatação incorreta  CustomTooltipEligibility.js:1:1
formatação incorreta  checkSimSearch.js:1:1
formatação incorreta  pageVisible.js:1:1
formatação incorreta  PageInfo.js:1:1
formatação incorreta  isTest.js:1:1
formatação incorreta  domReady.js:1:1
Eventos Mutation não devem mais ser usados. No lugar, use MutationObserver.  ContentVeil.js:2:4660
O método getPreventDefault() não deve mais ser usado. No lugar, use defaultPrevented.  jquery.js:2:40608
ajax start  loadingModal.js:3:3
XML-Http-Request síncrono não deve ser usado na thread principal devido a seus efeitos prejudiciais para a experiência de usuário. Para mais informações http://xhr.spec.whatwg.org/  jquery.js:2:86393
ajax stop  loadingModal.js:6:3
ajax start  loadingModal.js:3:3
Obj-ect { rodape_txt_suporte: "<div style="position: absolute; lef…", rodape_link_seguranca: "http://www.caixa.gov.br/seguranca/P…", rodape_link_atendimento: "http://www.caixa.gov.br/atendimento…", rodape_link_ajuda: "http://www.caixa.gov.br/atendimento…", rodape_link_contrato: "https://internetbanking.caixa.gov.b…" }  main.js:1:13799
ajax stop  loadingModal.js:6:3
ajax start  loadingModal.js:3:3
ajax stop  loadingModal.js:6:3
ajax start  loadingModal.js:3:3
ajax stop  loadingModal.js:6:3
ajax start  loadingModal.js:3:3
ajax stop  loadingModal.js:6:3
formatação incorreta  topFrame.js:1:1
formatação incorreta  Clipper.js:1:1
formatação incorreta  ContentPreview.js:1:1
formatação incorreta  Coordinator.js:1:1
formatação incorreta  GlobalUtils.js:1:1
formatação incorreta  Promotion.js:1:1
formatação incorreta  CustomTooltipEligibility.js:1:1
formatação incorreta  checkSimSearch.js:1:1
formatação incorreta  pageVisible.js:1:1
formatação incorreta  PageInfo.js:1:1
formatação incorreta  isTest.js:1:1
formatação incorreta  domReady.js:1:1
unreachable code after return statement[Learn More]  funcoes.js:2693:1
A declaração da codificação de caracteres do documento HTML não foi encontrada ao verificar os primeiros 1024 bytes do arquivo. Ao ser aberta em um navegador configurado de forma diferente, a página será automaticamente recarregada. A declaração da codificação precisa ser movida para os primeiros 1024 bytes do arquivo.  concordo.htm:20
Using //@ to indicate sourceMappingURL pragmas is deprecated. Use //# instead[Learn More]  warsaw-zlib.js:39:661
Eventos Mutation não devem mais ser usados. No lugar, use MutationObserver.  ContentVeil.js:2:4660