NoScript causing hang on lloydstsb UK Bank?

Ask for help about NoScript, no registration needed to post
bgiles
Posts: 3
Joined: Sun Oct 04, 2015 6:29 pm

Re: NoScript causing hang on lloydstsb UK Bank?

Post by bgiles » Mon Oct 05, 2015 5:47 am

Martyn wrote:Hi All,

Just wanted to register that I'm also getting this same problem, have been for a few weeks now.

I normally see it on the account overview page (https://secure.lloydsbank.co.uk/persona ... _personal/), the page loads and display fine, then it locks for around 25 seconds, starts running again for a split second and then locks for another 25 seconds.

Then I receive two "save file" dialogs with the filename and file type corrupted with JavaScript code.

Filename:

Code: Select all

javascript__(function(){function i(){if(typeof XMLHttpRequest!='undefined'){return new XMLHttpRequest()}try{return new ActiveXObject(_Msxml2.XMLHTTP_)}catch(e){try{return new ActiveXObject(_Microsoft.XMLHTTP_)}catch(e){}}}function j(a){if(typeof(a)==_string_)


After that the page is fine until I reload it.

I'm happy to run any tests if need be.

Regards,
Martyn.



Hi Martyn

I been working with all *lloydsbank.co.uk domains forbidden to get around this problem, having tried many permutations in NoScript.
Whilst this works fine, pages didn't always display as intended.

Following your post, I then tried adding ONLY secure.lloydsbank.co.uk to the whitelist, and now I've got normal loading times & the correct page layout, as far as I can tell from all the sub pages I visited.

Thanks for the clue.

Brian
Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0

Ashjuk
Junior Member
Posts: 21
Joined: Mon Oct 05, 2015 6:52 am

Re: NoScript causing hang on lloydstsb UK Bank?

Post by Ashjuk » Mon Oct 05, 2015 7:13 am

I found this forum because I am having almost the exact same problems with the Natwest on-line banking site - page hangs and eventually a message box pops up prompting me to save or cancel a javascript file. If I select cancel the site works until the next page refresh when the process starts over.

Talk on the Natwest community forum about this seems to point the finger at NoScript but as of yet there has been no definitive answer from Natwest other than not to use NoScript. I have been using Natwest on-line banking with Firefox and NoScript for years with no issues, it has only been the past few weeks that this problem has arisen.

I will continue to monitor this thread to see if anyone find a permanent fix.

Thanks,
Ashley
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0

katydid

Re: NoScript causing hang on lloydstsb UK Bank?

Post by katydid » Mon Oct 05, 2015 9:59 am

Having the same problem with Santander for the last few weeks so it seems a wide spread problem.
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0

barbaz
Senior Member
Posts: 9268
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript causing hang on lloydstsb UK Bank?

Post by barbaz » Mon Oct 05, 2015 4:33 pm

Ashjuk wrote:as of yet there has been no definitive answer from Natwest other than not to use NoScript.

Image Wow... they are a *bank* and they're recommending to drop way more of your cyber-security than needed to avoid problems resulting from their insecure site design? Has anyone actually pointed them to this forum?
As noted in the linked threads this likely related to the XSS filter objecting to the very bad and very insecure practice of playing with window.name - so if you've no time to troubleshoot, disable the XSS filter (NoScript Options > Advanced > XSS, un-check both boxes) and use a separate browser session to access the site (IOW, restart the browser & don't visit any other site until logging out, re-enabling the XSS filter, clearing cookies & the like for the site, and again restarting the browser). But again, that's just a work-around, better solution is to go with what others have said works with marking sites as Untrusted or blocking the culprit script(s) with ABE and/or surrogate script.
*Always* check the changelogs BEFORE updating that important software!
-

Ashjuk
Junior Member
Posts: 21
Joined: Mon Oct 05, 2015 6:52 am

Re: NoScript causing hang on lloydstsb UK Bank?

Post by Ashjuk » Tue Oct 06, 2015 7:20 am

barbaz wrote:...Has anyone actually pointed them to this forum?

Yes. I posted a link to this thread on the Natwest forum yesterday morning and it has been read by one of their support staff, so hopefully between them all a fix will come along soon.

It seems odd that it appears to be restricted to banking sites, I've not experienced a problem with any other site. Meanwhile I am using Chrome with the ScriptSafe add-on to access Natwest On-line banking and that works fine.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: NoScript causing hang on lloydstsb UK Bank?

Post by Thrawn » Thu Oct 08, 2015 11:49 pm

Ashjuk wrote:I am using Chrome with the ScriptSafe add-on to access Natwest On-line banking and that works fine.

Well, that's probably because ScriptSafe doesn't have a cross-site scripting filter.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0

SimonC
Posts: 1
Joined: Fri Oct 09, 2015 11:21 am

Re: NoScript causing hang on lloydstsb UK Bank?

Post by SimonC » Fri Oct 09, 2015 12:24 pm

FAO: those banking online with Lloyds Bank and experiencing the hanging problem in Firefox with NoScript (seems to be related to the domain marketing.lloydsbank.co.uk trying to run javascript and/or an ActiveX object).

[Please bear with me. This is the first time I have ever posted to a forum.]

I have found a 'solution' of sorts, which seems to be working for me so far.

CAVEAT. I have no specific technical expertise (other than a simple ability to write or adapt regular expressions). Therefore, I make no claims for this 'solution', in terms of efficacy or security. I leave that for others to comment upon.

All I did was to adapt a regular expression I found in the NoScript FAQs and added the following line to the Anti-XSS Protection Exceptions (on the XSS tab of NoScript's Advanced Options):

[dangerous suggestion deleted by moderator]

And it worked. After months of frustration and hours of lost time, it seems too simple to be true. By creating such an exception, I am, of course, having to assume that banking websites are secure enough not to be vulnerable to XSS attacks. As I say, others may comment on that.

BTW, I also removed the older lloydstsb.co.uk from my whitelist, which for me has been superceded by lloydsbank.co.uk - which no doubt has no bearing on the present problem, but at least is a bit tidier.

Hoping this post helps, and happy to be contradicted and/or for any naivety on my part to be ruthlesly exposed.

Simon
Last edited by barbaz on Fri Oct 09, 2015 5:05 pm, edited 1 time in total.
Reason: remove dangerous suggestion
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0

barbaz
Senior Member
Posts: 9268
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript causing hang on lloydstsb UK Bank?

Post by barbaz » Fri Oct 09, 2015 5:08 pm

@SimonC: That is NOT safe, you are allowing *all* sites to XSS your bank! :o
Please try instead an XSS exception for origin of request instead - that is, match "@" plus the URL per the sticky viewtopic.php?f=7&t=17774

In your case you would (at minimum) change the leading '^' to '^@'

This would instead allow your bank to XSS all sites.


Once you get an origin exception working, please post it here or edit in your above post. Thanks
*Always* check the changelogs BEFORE updating that important software!
-

bgiles
Posts: 3
Joined: Sun Oct 04, 2015 6:29 pm

Re: NoScript causing hang on lloydstsb UK Bank?

Post by bgiles » Fri Oct 09, 2015 7:04 pm

Does the following not work for other Lloyds Bank customers using NoScript?

Allow: secure.lloydsbank.co.uk (i.e. added to whitelist)
Remove all other entries containing lloydsbank.co.uk from whitelist.

I've been using this arrangement for a few days now, loads normally, and without any apparent side effects.
Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0

barbaz
Senior Member
Posts: 9268
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript causing hang on lloydstsb UK Bank?

Post by barbaz » Sun Oct 11, 2015 4:11 am

I just saw this on the #dev page:

https://noscript.net/getit#devel wrote:v 2.6.9.39rc1
=============================================================
x Work-around for a XSS "false positive" caused by nwolb.com
passing Javascript code across subdomains in window.name
(thanks Sagiv MAsvari for reporting)


Does the bank site(s) work fine just with 2.6.9.39rc1, or are the mentioned work-around(s) still needed?
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
therube
Ambassador
Posts: 7459
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: NoScript causing hang on lloydstsb UK Bank?

Post by therube » Sun Oct 11, 2015 12:10 pm

With BoA, the work-around is no longer needed when using NoScript 2.6.9.39rc1.
(Though I'm thinking I might just keep it, the work-around, anyhow.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0 SeaMonkey/2.38

sonrock3
Posts: 1
Joined: Tue Oct 13, 2015 8:33 am

Re: NoScript causing hang on lloydstsb UK Bank?

Post by sonrock3 » Tue Oct 13, 2015 9:01 am

...and on other banks for me.
Solution for me seems to be remove banks (all their pages) from whitelist.
= makes sense since I assume the problem script will be blocked and no attempt made to load it.

PS I had assumed the maybe this was all a red herring, and maybe the real culprit was Trusteer's Rapport which I had running.
Disabling this did not fix the problem, so I will re-enable Rapport.
Stephen
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0

StephenD

Re: NoScript causing hang on lloydstsb UK Bank?

Post by StephenD » Tue Oct 13, 2015 5:17 pm

I have the same problem with Bank of Scotland web site. There seems to be a Javascript Join function that hangs Firefox and comes up with the 2 error message boxes. I also have Marketing.[bank domain] as the join it is trying to do. Hitting the cancel button on the error messages frees up the site for browsing but every time there is a return to the home page, the hang re-occurs. Oddly, this does not affect the business internet banking page.
Bank of Scotland online help have stated it is not their problem :roll:
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0

nft76
Posts: 5
Joined: Sat Jun 13, 2015 10:13 am

Re: NoScript causing hang on lloydstsb UK Bank?

Post by nft76 » Wed Oct 14, 2015 9:15 pm

I have the same problem with the Halifax bank (also owned by Lloyds).

I can provoke the problem by:
1) disable all Firefox extensions - verify it's OK
2) enable NoScript, even with "Allow All Scripts" - and it loops.

Not good.
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0

White Rabbit

Re: NoScript causing hang on lloydstsb UK Bank?

Post by White Rabbit » Wed Oct 14, 2015 9:38 pm

Hanging is also occurring on Co-operative Bank personal online banking site:

Code: Select all

https://personal.co-operativebank.co.uk/CBIBSWeb/start.do

I've isolated that the addon causing it is NoScript and in my case it only started happening two days ago on the last update: verison 2.6.9.38 (12 Oct 2015). Prior to this I had no problems.

Running Windows 10 Home. Firefox 41.0.1.

When accessing above link, Firefox hangs for up to 15 seconds. Sometimes (randomly) it will ask to save a .js file. Most attempts will cause the banking site to go to its error (logout) page which claims that browser buttons or a refresh were used (when they were not).

This bug occurs whether Trusteer Rapport is installed or not.
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0

Post Reply