Page 4 of 6

Re: NoScript causing hang on lloydstsb UK Bank?

Posted: Sun Nov 15, 2015 5:50 pm
by leamphil
Not sure if I did it correctly but it did not work.

In the list of Anti-XSS Exceptions below the two check boxes (back on) I added ^@https://www.halifax-online.co.uk/
where www.halifax-online.co.uk is the website I'm logging on to.

Re: NoScript causing hang on lloydstsb UK Bank?

Posted: Sun Nov 15, 2015 5:54 pm
by leamphil
It worked when I used the correct web adddress secure.halifax-online.co.uk rather than the gateway www.halifax-online.co.uk

Problem solved, or at least bypassed.

Thanks very much for your assistance.

Re: NoScript causing hang on lloydstsb UK Bank?

Posted: Sun Nov 15, 2015 6:26 pm
by barbaz
You're welcome. Image

I'd say solved for you.

Re: NoScript causing hang on lloydstsb UK Bank?

Posted: Tue Nov 17, 2015 2:23 pm
by bgiles
leamphil wrote:It worked when I used the correct web adddress secure.halifax-online.co.uk rather than the gateway www.halifax-online.co.uk

Problem solved, or at least bypassed.

Thanks very much for your assistance.


I think this is a similar result to what I've seen, and then reported on 9th October, but nobody else who uses Lloyds Bank has confirmed.
I'm still using this arrangement, which works for me.
Allowing anything else from lloydsbank.co.uk causes a hang.

bgiles wrote:Does the following not work for other Lloyds Bank customers using NoScript?

Allow: secure.lloydsbank.co.uk (i.e. added to whitelist)
Remove all other entries containing lloydsbank.co.uk from whitelist.

I've been using this arrangement for a few days now, loads normally, and without any apparent side effects.

Re: NoScript causing hang on lloydstsb UK Bank?

Posted: Mon Nov 23, 2015 11:52 am
by mikew
I'm also having this problem on tsb.co.uk which used to be owned by Lloyds. Its relatievly new. Wasn't there a few feeks ago. The problem is somewhat similar to the nwolb problem in that it hangs a while and then tries to lownload an empty file with a filename that looks like java script. After clicking save it works for a while until you click on another link and then it hangs again. I haven't found any of the workarounds that work yet.

Re: NoScript causing hang on lloydstsb UK Bank?

Posted: Mon Nov 23, 2015 4:46 pm
by ordinary-user-55
I'm having the same problem, it freezes the whole browser for about 30secs when I go into my Lloyds account.
Unusable.

Another thing I dislike is when doing an online payment to some vendor, I get a warning about a cross-scripting attempt when it goes to Lloyds Clicksafe.
This is accompanied by a pop-up window containing a lot of tabs and jargon which would take me the rest of the day to decipher.
Can't it just have "allow" or "deny" buttons for this window for non-geeks like me?

I'm now experimenting with a separate "banking" installation of Firefox with no add-ons at all, except Whitelist Ninja.
It's VERY fast, and looking promising.

Re: NoScript causing hang on lloydstsb UK Bank?

Posted: Tue Nov 24, 2015 2:11 am
by Thrawn
It sounds like Lloyds' website has some significant security weaknesses. Using a separate banking-only profile is probably a good choice.

Re: NoScript causing hang on lloydstsb UK Bank?

Posted: Wed Nov 25, 2015 4:00 pm
by myhos
Hi,

In France, I have this same problem a few days ago with the website of Société Générale.

I followed the Barbaz setpoint (Sun 15 November, 2015). In the list of exceptions protection Anti-XSS, I added the following line:
^@ https: //particuliers.societegenerale.fr/.
My Whitelist contains the address https://particuliers.societegenerale.fr/.

Access to Société Générale site now seems to work well. Are my options correct? Are there any security risks?

Thank you for any information. Best regards.

Re: NoScript causing hang on lloydstsb UK Bank?

Posted: Wed Nov 25, 2015 4:25 pm
by barbaz
myhos wrote:^@ https: //particuliers.societegenerale.fr/.

I'm surprised it works with the whitespace in there... also you should use "\." instead of just "." because in regex the unescaped . character matches any character.

myhos wrote:Are there any security risks?

It depends if the XSS filter is actually taking action. Please temporarily remove that exception and check the Browser Console (Ctrl-Shift-J) when this issue happens and look for InjectionChecker or NoScript XSS messages.

If there are any, then I strongly recommend to remove that exception because a website messing with window.name in a way that trips the XSS filter poses both a security risk and a privacy risk (any site you visit can read the contents of window.name regardless of what set it). Well, at least the other bank sites mentioned in this thread were messing with window.name, I am assuming it'd be the same for yours if this case applies to you.

If there are no such messages, leave the exception because it's probably the best answer in that case.

Please let us know, thanks.

Re: NoScript causing hang on lloydstsb UK Bank?

Posted: Wed Nov 25, 2015 5:37 pm
by myhos
Hi Bazbaz,
First of all thank you for your quick response.

My mistake in copying address! There is no space in the URL ... Sorry!

I did the test suggested after deleting the exception. At first, the Web page is frozen (in French "Firefox ne répond pas"). Unable to activate the console. Then I regained access to the page and display the console.

Several messages appear actually:
[NoScript InjectionChecker] Injection JavaScript in .....
and
[NoScript XSS] sanitized window.name, .....

How normally access my bank website without temporarily disable NoScript?

Also sorry for my bad english ...

Re: NoScript causing hang on lloydstsb UK Bank?

Posted: Wed Nov 25, 2015 11:42 pm
by Thrawn
It may be best to create a second profile and use that exclusively for your bank.

Re: NoScript causing hang on lloydstsb UK Bank?

Posted: Thu Nov 26, 2015 12:54 am
by barbaz
@myhos: Votre anglais n'est pas mal.
Pouvez-vous trouver ce qu'est la scripte qui fait ça et le bloquer avec ABE?
(Certaines personnes peuvent bloquer domain entière par le marquer comme Untrusted.)

Re: NoScript causing hang on lloydstsb UK Bank?

Posted: Thu Nov 26, 2015 5:19 pm
by myhos
Hello Barbaz and Thrawn,

Thank you for your answers. I study your proposals and try. I would inform you of the following.

@ Thrawn:
Is creating a new profile dedicated exclusively to relationships with my bank requires specific settings NoScript ?

@ Barbaz:
Thank you for your nice answer in French !

I performed HttpFox on the home page of Société Générale. I can not find a script that causes blocking (but perhaps I did not recognize ...).
Page freeze about 4 or 5 minutes, 2 windows are displayed, offering downloading two empty files.

Then, the site works correctly.
Best Regards.

Re: NoScript causing hang on lloydstsb UK Bank?

Posted: Thu Nov 26, 2015 5:36 pm
by barbaz
myhos wrote:@ Barbaz:
Thank you for your nice answer in French !

de rien :)

myhos wrote:I performed HttpFox on the home page of Société Générale. I can not find a script that causes blocking (but perhaps I did not recognize ...).

En général c'est essai et erreur. Bloquer les scriptes un à un et voyez si 1) le site marche 2) le blocage a disparu.

(English, for those who can't read French)
In general it's trial and error. Block the scripts one by one and see if 1) the site works 2) the hanging is gone.

Re: NoScript causing hang on lloydstsb UK Bank?

Posted: Thu Nov 26, 2015 5:51 pm
by barbaz
myhos wrote:Is creating a new profile dedicated exclusively to relationships with my bank requires specific settings NoScript ?

Si vous faites ça vous pouvez choisir soit utiliser NoScript avec l'éxception XSS ou n'installer pas NoScript. Vous n'auriez pas visiter des autres sites dans ce profile, ainsi XSS à window.name n'est pas tout à fait si mal pour vous...