New (?) ecommerce site?

[MyNameHere]

Hi. I was trying to use Paypal to purchase something. I haven't had any problems using NoScript with Paypal before, but this merchant apparently was using the cardinalcommerce.com intermediary, and NoScript didn't like it.

I ended up first needing to allow cardinalcommerce.com, then to set up an XSS exception for it as well.

Looking at the Paypal website, it seems there are multiple intermediaries like cardinalcommerce.com. See this page.

Is this something that NoScript could be designed to handle by default?

[Tom T.]

Hi. I was trying to use Paypal to purchase something. I haven't had any problems using NoScript with Paypal before, but this merchant apparently was using the cardinalcommerce.com intermediary, and NoScript didn't like it.

"didn't like it" -- actually, NoScript's basic "default-deny" policy: All scripts that are not already in the whitelist are blocked by default, unless/until you allow them, temporarily or permanently. This is the fundamental principle of NS protection, so it would be expected that the new commerce site's script would be blocked by default. This also gives you a chance to check them out, find out who they are, are they regareded as legitimate, etc. (For anywhere, not just paypal).

I ended up first needing to allow cardinalcommerce.com, then to set up an XSS exception for it as well.

Could you please reproduce the situation that generates the XSS message, then open Firefox Error Console (Ctrl+Shift+J), click the blue "Messages" icon, and copy/paste here any messages relating to NoScript? Especially those that start with [XSS}. Thanks. (Note: If the spam filter trips, try enclosing the messages in

Code: Select all

 tags.)

[MyNameHere]

"didn't like it" -- actually, NoScript's basic "default-deny" policy: All scripts that are not already in the whitelist are blocked by default, unless/until you allow them, temporarily or permanently. This is the fundamental principle of NS protection, so it would be expected that the new commerce site's script would be blocked by default. This also gives you a chance to check them out, find out who they are, are they regareded as legitimate, etc.

Yes, I certainly stopped and checked it out before proceeding, but it meant I had to restart the transaction from the beginning (took 3 tries total with the XSS issue).
I'm not sure how new this site is, really. I just wondered whether NoScript had a standard whitelist and whether the legitimate PayPal intermediaries could be added on your end so we don't find out in the middle of a transaction and face the possibility of multiple debits or at least require multiple attempts to complete a transaction.

I will see if I can reproduce the XSS situation and send you the information.

[Hecuba's daughter]

nvm

[MyNameHere]

Thanks for the comments.

So far I haven't had any problems with duplicate payments, but it's on my mind.

Do you have any suggestions on how to reproduce the cardinalcommerce.com XSS problem in context without actually purchasing something from the same vendor?

[Tom T.]

@ Hecuba's daughter:

All *very* well said. Thank you.


@ MyNameHere:

I just wondered whether NoScript had a standard whitelist...

Yes.

All of them, in Giorgio's mind, meet his definition of being accountable.
As HD said, adding new ones randomly is not going to happen. A record of trustworthiness, accountability, and *need*, which means popularity. If a site is used by only a small number of users, why add it to the default whitelist for everyone?

I delete much of the default whitelist, because I don't use the site or don't need their scripting even if I do visit.

Do you have any suggestions on how to reproduce the cardinalcommerce.com XSS problem in context without actually purchasing something from the same vendor?

I don't use PayPal. However, at Amazon, I can go all the way through the checkout process, including entering credit card #, and have a final "verification" before "submit" -- which is a chance to cancel the entire transaction. Did you not get that final verify with the new site? If so, remove the XSS exception and try that.

Even if not, I would imagine that as soon as PayPal brought cardinalcommerce into the picture, the XSS message would show.
You may leave cardinal in the scripting whitelist should you like (NS Options > Whitelist), but again, be sure to remove the XSS exception from Advanced > XSS before trying this.

Umm, I don't suppose the old message is still in the error console? Long shot, but apparently some users browse for days on end without ever closing/restarting the browser (or their machines). Bad practice on multiple counts, but just in case ... ?

[Hecuba's daughter]

nvm

[MyNameHere]

I removed the XSS exception and started to place an order.

Sorry, I got as close as I was willing ("Place your order" button) and didn't see the XSS message, so I stopped.

If I run across this issue during an actual purchase in the future, I'll try to capture the info and post it.

[Tom T.]

OK, thanks. At least now you have your XSS protection back.

If anyone else encounters this message with PayPal via cardinalcommerce, please post the XSS error console report here, thanks.

[Hecuba's daughter]

nvm

[Tom T.]

It's still as you described, no third party (from memory, but I did buy something from them fairly recently). The point of the Amazon post was that even after entering payment method, there was still a chance to confirm the order or cancel it. I had hoped that OP could get to cardinalcommerce, thus reproducing the XSS message, while still having a chance to cancel the transaction.
Apparently, not, or unsure and not willing to risk it.

That took only a minute or two -- no problem.

[Hecuba's daughter]

nvm

[MyNameHere]

... Apparently, not, or unsure and not willing to risk it.
...

Yes, I was not willing to continue past that point.

It's interesting that under normal circumstances you proceed through a transaction (or, at least, I do) without paying a lot of attention to the sequence of events. So I was not sure whether or not I would have another, final confirmation of the transaction.

I'll post if/when I run into the issue again.

[Tom T.]

I'd considered the OP's question finalised but Amazon's use or not of a third-party was a selfish side-issue about my trust for Amazon, nothing to do with your description to the OP about what to expect in a payment authorisation; after all, every online payment, whether in-house or third-party managed, has the "commit" step, certainly, so your original outline of what to expect would natch apply to any online payment.
I was simply a little hopeful that I might have been able to shop Amazon at last.

*Personal opinion only*, I do not uses PayPal. They have had their share of security compromises, and also many complaints of users having a hard time getting refunds for duped or canceled transactions, returns. etc. I have no personal knowledge on the latter.

IIUC, I'm giving PayPal unfettered access to my bank account, rather than to a single credit card. Most credit card issuers (in my experience in the US) are very prompt at resolving disputes, and generally you have *no* liability for unauthorized purchases if you report your card lost or stolen as soon as reasonably possible after the fact, or if you notify them promptly of an unrecognized charge on your monthly statement. Amazon also stands behind their payment processing.

Yes, I have had two occasions where someone hacked a merchant's CC database (not Amazon), and the credit card company promptly blocked all affected (20,000 or so?) accounts, called me by phone (not quite in time once, which is why it seems to be a good idea to carry two different cards, in case one is suddenly blocked), confirmed by postal mail with a new card and a new number. No loss to me.

OTOH, they've called twice about what some computer algorithm flagged as "an unusual or suspicious series of charges". In both cases, all charges were legit, but I appreciate that they're proactively looking for signs of card theft.

IMHO, if a database is going to be hacked, I'd rather it contain only one credit card number rather than all the details of my bank account. YMMV.

[Hecuba's daughter]

nvm