SOLVED - Problems using No Script with Bank of America site

[lakrsrool]

I've disable the upper XSS setting again to be able to login in a timely manner (top setting so both are disabled, I've been disabling the lower bottom setting for awhile now because other bank sites won't work with this lower XSS setting enabled) and been logging in but no I'm finding that the website won't finish logging out.

So I've gone to the console log again and found just one entry which was the following: "ReferenceError: mboxCreate is not defined full-signoff-default.go:38:0". This was all of what I found while the website was still hung up logging off and remains hung up after 15 minutes. I end up just closing the browser tab when this happens.

[barbaz]

I've disable the upper XSS setting again to be able to login in a timely manner (top setting so both are disabled, I've been disabling the lower bottom setting for awhile now because other bank sites won't work with this lower XSS setting enabled) and been logging in

While in this "XSS filter off" configuration, can you check the value of window.name when you are on the page after the one that causing the hang?
(Ctrl-Shift-K -> type window.name at the prompt & hit Enter, copy&paste what it spits back out, if something other than "")

but no I'm finding that the website won't finish logging out.

So I've gone to the console log again and found just one entry which was the following: "ReferenceError: mboxCreate is not defined full-signoff-default.go:38:0". This was all of what I found while the website was still hung up logging off and remains hung up after 15 minutes. I end up just closing the browser tab when this happens.

Blocking any scripts anywhere along the logout process?
If you don't see anything can you check with NoRedirect configured to block all redirects (Regex: .*, check only "Source"), in case it's an intermediate landing page of some sort where that script is blocked?

[lakrsrool]

I've disable the upper XSS setting again to be able to login in a timely manner (top setting so both are disabled, I've been disabling the lower bottom setting for awhile now because other bank sites won't work with this lower XSS setting enabled) and been logging in

While in this "XSS filter off" configuration, can you check the value of window.name when you are on the page after the one that causing the hang?
(Ctrl-Shift-K -> type window.name at the prompt & hit Enter, copy&paste what it spits back out, if something other than "")

There was nothing when I entered "window.name" in the "filter output" search, if that's what your asking me to do. If I'm misunderstanding please explain further.

but no I'm finding that the website won't finish logging out.

So I've gone to the console log again and found just one entry which was the following: "ReferenceError: mboxCreate is not defined full-signoff-default.go:38:0". This was all of what I found while the website was still hung up logging off and remains hung up after 15 minutes. I end up just closing the browser tab when this happens.

Blocking any scripts anywhere along the logout process?
If you don't see anything can you check with NoRedirect configured to block all redirects (Regex: .*, check only "Source"), in case it's an intermediate landing page of some sort where that script is blocked?

Added "NoRedirect" add-on, now if I'm understanding you correctly I added "Regex: .*" to the "RegEx Pattern" column and ticked "Source" only. Btw, side note: all others in the "RegEx Pattern" start out with "http://" (web address related), not sure if I was supposed to only put "Regex:.*" in the "RegEx Pattern" column but that's what I did.

I then logged in and nothing happened other than my sucessful login to the web site.

Again, if I'm misunderstanding your instructions please explain in more detail.

Thanks.

[lakrsrool]

I've cleared the "console" log at the point of when I log-in and the website hangs the computer when XSS is enabled (top option) and here is what the log gave me at the point of logging in up to when login is finished (if this helps any). Of course there is no hang because I've disabled the XSS option, if this makes a difference):

ReferenceError: showSasiOverlay is not defined signIn.go:119:6
ReferenceError: $ is not defined signIn.go:978:0
ReferenceError: boaMboxCreate is not defined signIn.go2
ReferenceError: $ is not defined signIn.go1
ReferenceError: OOo is not defined signIn.go6
ReferenceError: $ is not defined signIn.go5
ReferenceError: $ is not defined signIn.go4
ReferenceError: $ is not defined auth-chat.js:3:0
ReferenceError: $ is not defined signIn.go0
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://streak.bankofamerica.com/30306/I3n.js. (Reason: CORS header 'Access-Control-Allow-Origin' does not match '*'). <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] images.cardlytics.com
about:blank : Unable to run script because scripts are blocked internally. <unknown>
about:blank : Unable to run script because scripts are blocked internally. <unknown>
Empty string passed to getElementById(). signIn.go:1:0
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] deploy2.asp
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] mTag.js
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2
about:blank : Unable to run script because scripts are blocked internally. <unknown>

[lakrsrool]

OK, now I've ENABLED the XSS option and cleared the "console" log once again:

THIS IS WHAT I GET UP UNTIL WHEN THE COMPUTER LOCKS UP (btw, the website page is loaded and the account interface displays just fine, it's just that the computer is locked at the point of the LAST LINE in this section):
A form was submitted in the windows-1252 encoding which cannot encode all Unicode characters, so user input may get corrupted. To avoid this problem, the page should be changed so that the form is submitted in the UTF-8 encoding either by changing the encoding of the page itself to UTF-8 or by specifying accept-charset=utf-8 on the form element. cm-jawr.js:1:0
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] urlinfo
ReferenceError: showSasiOverlay is not defined signIn.go:119:6
ReferenceError: $ is not defined signIn.go:978:0
ReferenceError: boaMboxCreate is not defined signIn.go2
ReferenceError: $ is not defined signIn.go1
ReferenceError: OOo is not defined signIn.go6
ReferenceError: $ is not defined signIn.go5
ReferenceError: $ is not defined signIn.go4
ReferenceError: $ is not defined auth-chat.js:3:0
ReferenceError: $ is not defined signIn.go0
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://streak.bankofamerica.com/30306/I3n.js. (Reason: CORS header 'Access-Control-Allow-Origin' does not match 'https://www.bankofamerica.com'). <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] images.cardlytics.com
about:blank : Unable to run script because scripts are blocked internally. <unknown>
[NoScript InjectionChecker] JavaScript Injection in qp=ci=4&dn=4b4f263cb21633d&pd=cid=6&d=e5uUWaTp3wcBRu%2B2s3ANwWqrcBzgalcud90skONtgrf82CNbd7yDhYjnxbTSRjZUObj7f3oY%2F%2FjI9yeGvr7GteBL%2BzSX%2BTi2ADAlzMv7abJgmsrw%2FW65tw2qenwdFDkFmNpc4AgcqkNxBoVwyGyq0ABWRyhF6BAEFEIJntfJi%2FFdveXDOu4Pcz%2F3Di7mTjHMV7uQp3hHPKTo3RRWPKqSBmo%2BRc6RJdlNw%2F9WdT0MCp9QfBtuKqEkOiHAWo%2BMcuFZnCzswwyn9GtxuDAPLTgJlW7CiUoYFXemaj0FyhCOF0ZNfNV8Z99%2BHASE4wH%2BaXL3dVx1w57dreoJ5qKY0YnEEg5iSCZUyLrtX3B4ywKc7Gvpg4AP9D10VUVhMC%2B3H%2B5wv5zdi14k5L5tm1cqEEwdJ%2BDk4LjPkDPiybe5mvxE%2FyVAqs0ElXjgWdjh4%2Fo4%2FCG633JkRHpCoJrQA%2FwkOUkMJZl1b7ykn8ccB4%2FVJDye7UFwHCRGnc6MiK90VtJWYb5EtZWYYG8v1yThM%2BUpQlNTjJR1vDCsGe9EDze0nxgMqtD4MfqK6MWUKJHEJh2iVSXTq8hgH31NwUOr%2FxvebRiZlAl71xekSSu%2Bviqj648g%2B5U6L7jhBCfHKFZOf2aviBlPug4PdCDG4st5GUqgp7vGUF51wG32I0lsPlQlLmv3mIfu%2FLQkjaIhqPovbEi4Pb%2BM1mbE4Jz3eoTqEw5D%2BuOBsqgNCQG4bCeo6sG9GmfbSN05UCLyh6gnxTMYCuT89kommL242TxJoHMeTt8zTvYjdUhf4GM9Lmi%2B6N1Nys7mKImILUKbKBnqrR%2FsffB218mPgx%2FfvmkkdTgUlCP9
[NoScript XSS]: sanitized window.name, "qp=ci%3D4%26dn%3D4b4f263cb21633d&pd=cid%3D6%26d%3De5uUWaTp3wcBRu%252B2s3ANwWqrcBzgalcud90skONtgrf82CNbd7yDhYjnxbTSRjZUObj7f3oY%252F%252FjI9yeGvr7GteBL%252BzSX%252BTi2ADAlzMv7abJgmsrw%252FW65tw2qenwdFDkFmNpc4AgcqkNxBoVwyGyq0ABWRyhF6BAEFEIJntfJi%252FFdveXDOu4Pcz%252F3Di7mTjHMV7uQp3hHPKTo3RRWPKqSBmo%252BRc6RJdlNw%252F9WdT0MCp9QfBtuKqEkOiHAWo%252BMcuFZnCzswwyn9GtxuDAPLTgJlW7CiUoYFXemaj0FyhCOF0ZNfNV8Z99%252BHASE4wH%252BaXL3dVx1w57dreoJ5qKY0YnEEg5iSCZUyLrtX3B4ywKc7Gvpg4AP9D10VUVhMC%252B3H%252B5wv5zdi14k5L5tm1cqEEwdJ%252BDk4LjPkDPiybe5mvxE%252FyVAqs0ElXjgWdjh4%252Fo4%252FCG633JkRHpCoJrQA%252FwkOUkMJZl1b7ykn8ccB4%252FVJDye7UFwHCRGnc6MiK90VtJWYb5EtZWYYG8v1yThM%252BUpQlNTjJR1vDCsGe9EDze0nxgMqtD4MfqK6MWUKJHEJh2iVSXTq8hgH31NwUOr%252FxvebRiZlAl71xekSSu%252Bviqj648g%252B5U6L7jhBCfHKFZOf2aviBlPug4PdCDG4st5GUqgp7vGUF51wG32I0lsPlQlLmv3mIfu%252FLQkjaIhqPovbEi4Pb%252BM1mbE4Jz3eoTqEw5D%252BuOBsqgNCQG4bCeo6sG9GmfbSN05UCLyh6gnxTMYCuT89kommL242TxJoHMeTt8zTvYjdUhf4GM9Lm
https://roll.bankofamerica.com/boaa/ghb3.html?
about:blank

THIS IS WHAT I GET IN THE LOG AFTER THE COMPUTER IS FREED UP AGAIN:
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] mTag.js
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2

[lakrsrool]

but no I'm finding that the website won't finish logging out.

So I've gone to the console log again and found just one entry which was the following: "ReferenceError: mboxCreate is not defined full-signoff-default.go:38:0". This was all of what I found while the website was still hung up logging off and remains hung up after 15 minutes. I end up just closing the browser tab when this happens.

Blocking any scripts anywhere along the logout process?
If you don't see anything can you check with NoRedirect configured to block all redirects (Regex: .*, check only "Source"), in case it's an intermediate landing page of some sort where that script is blocked?

I think maybe you wanted me to add "^http://.*" to the "NoRedirect" (and check only "Source"), so I've done this and logged out and it is still just hung up logging out. My computer is not locked up, it's just that the specific website hangs is all. But nothing else happens, it's just saying "Signing out.... Please wait" with the spinning wheel. It seems like if I have XXS enable it may take awhile still but the website eventually does logoff, but with XXS disabled it just hangs forever logging off if I'm not mistaken. But of course with the XXS disabled I can at least login right away without the entire computer locking up for ~40 seconds.

[therube]

Pretty sure that's the URL I start from, I'll check in the morning.
Haven't read the 2nd page yet.
Anyhow, BoA is WFM.
I do (now) need to enable JavaScript for that page (was not necessary with their old login) [wonder if there is a work-around for that?] & immediately disable it after entering my password.
And except for the change, allowing bankofamerica.com, initially, its all WFM.
(Online Billpay & Transfers also need JavaScript, but I enable it for them on as need basis.)

[therube]

A quick glance at this page, as a test, I would...

create a new Profile
install only NoScript
disable all Plugins
restart browser

Test.

[barbaz]

There was nothing when I entered "window.name" in the "filter output" search, if that's what your asking me to do. If I'm misunderstanding please explain further.

I meant type Ctrl-Shift K -> a console should appear at the bottom of the browser window -> there is a prompt at the bottom of this console, enter there window.name (it might auto-complete it for you in part?).
But nvm this, I think we've answered the question:

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in qp=ci=4&dn=4b4f263cb21633d&pd=cid=6&d=e5uUWaTp3wcBRu%2B2s3ANwWqrcBzgalcud90skONtgrf82CNbd7yDhYjnxbTSRjZUObj7f3oY%2F%2FjI9yeGvr7GteBL%2BzSX%2BTi2ADAlzMv7abJgmsrw%2FW65tw2qenwdFDkFmNpc4AgcqkNxBoVwyGyq0ABWRyhF6BAEFEIJntfJi%2FFdveXDOu4Pcz%2F3Di7mTjHMV7uQp3hHPKTo3RRWPKqSBmo%2BRc6RJdlNw%2F9WdT0MCp9QfBtuKqEkOiHAWo%2BMcuFZnCzswwyn9GtxuDAPLTgJlW7CiUoYFXemaj0FyhCOF0ZNfNV8Z99%2BHASE4wH%2BaXL3dVx1w57dreoJ5qKY0YnEEg5iSCZUyLrtX3B4ywKc7Gvpg4AP9D10VUVhMC%2B3H%2B5wv5zdi14k5L5tm1cqEEwdJ%2BDk4LjPkDPiybe5mvxE%2FyVAqs0ElXjgWdjh4%2Fo4%2FCG633JkRHpCoJrQA%2FwkOUkMJZl1b7ykn8ccB4%2FVJDye7UFwHCRGnc6MiK90VtJWYb5EtZWYYG8v1yThM%2BUpQlNTjJR1vDCsGe9EDze0nxgMqtD4MfqK6MWUKJHEJh2iVSXTq8hgH31NwUOr%2FxvebRiZlAl71xekSSu%2Bviqj648g%2B5U6L7jhBCfHKFZOf2aviBlPug4PdCDG4st5GUqgp7vGUF51wG32I0lsPlQlLmv3mIfu%2FLQkjaIhqPovbEi4Pb%2BM1mbE4Jz3eoTqEw5D%2BuOBsqgNCQG4bCeo6sG9GmfbSN05UCLyh6gnxTMYCuT89kommL242TxJoHMeTt8zTvYjdUhf4GM9Lmi%2B6N1Nys7mKImILUKbKBnqrR%2FsffB218mPgx%2FfvmkkdTgUlCP9
[NoScript XSS]: sanitized window.name, "qp=ci%3D4%26dn%3D4b4f263cb21633d&pd=cid%3D6%26d%3De5uUWaTp3wcBRu%252B2s3ANwWqrcBzgalcud90skONtgrf82CNbd7yDhYjnxbTSRjZUObj7f3oY%252F%252FjI9yeGvr7GteBL%252BzSX%252BTi2ADAlzMv7abJgmsrw%252FW65tw2qenwdFDkFmNpc4AgcqkNxBoVwyGyq0ABWRyhF6BAEFEIJntfJi%252FFdveXDOu4Pcz%252F3Di7mTjHMV7uQp3hHPKTo3RRWPKqSBmo%252BRc6RJdlNw%252F9WdT0MCp9QfBtuKqEkOiHAWo%252BMcuFZnCzswwyn9GtxuDAPLTgJlW7CiUoYFXemaj0FyhCOF0ZNfNV8Z99%252BHASE4wH%252BaXL3dVx1w57dreoJ5qKY0YnEEg5iSCZUyLrtX3B4ywKc7Gvpg4AP9D10VUVhMC%252B3H%252B5wv5zdi14k5L5tm1cqEEwdJ%252BDk4LjPkDPiybe5mvxE%252FyVAqs0ElXjgWdjh4%252Fo4%252FCG633JkRHpCoJrQA%252FwkOUkMJZl1b7ykn8ccB4%252FVJDye7UFwHCRGnc6MiK90VtJWYb5EtZWYYG8v1yThM%252BUpQlNTjJR1vDCsGe9EDze0nxgMqtD4MfqK6MWUKJHEJh2iVSXTq8hgH31NwUOr%252FxvebRiZlAl71xekSSu%252Bviqj648g%252B5U6L7jhBCfHKFZOf2aviBlPug4PdCDG4st5GUqgp7vGUF51wG32I0lsPlQlLmv3mIfu%252FLQkjaIhqPovbEi4Pb%252BM1mbE4Jz3eoTqEw5D%252BuOBsqgNCQG4bCeo6sG9GmfbSN05UCLyh6gnxTMYCuT89kommL242TxJoHMeTt8zTvYjdUhf4GM9Lm
https://roll.bankofamerica.com/boaa/ghb3.html?
about:blank

OK so NoScript tampering with window.name is indeed the issue. But something about that window.name looks so familiar, in a context nothing to do with BoA...
Ah, this: viewtopic.php?p=78346#p78346
See if anything in that thread is useful here?

To go back to this question:

ADDENDUM: Oh btw, is there anything that I can tell that bank's tech department to change to help it to be more compatible with NoScript? I ask this because this was not a problem before.

Looks like there is more testing to be done before doing anything along these lines, but if it comes to this you would tell them to never use window.name to pass data across sites because other sites can steal and/or manipulate its contents. (Don't know if a sessionStorage entry could work for them here rather than window.name, in browsers that support sessionStorage?)

I think maybe you wanted me to add "^http://.*" to the "NoRedirect"

No I really meant .* as we want to match *everything* not just plain http sites.

[therube]

Pretty sure that's the URL I start from, I'll check in the morning.

I actually always start with
https://secure.bankofamerica.com/login/ ... /signOn.go
but that rolls over to something like
https://secure.bankofamerica.com/login/sign-in/signOnScreen.go?msg=OnlineIdEmpty&request_locale=&lpOlbResetErrorCounter=0&statusCode=301
so we're essentially at the same place.

try (just as a test, this is *not* a fix!!!!!) disabling the XSS filter (un-check both boxes under NoScript Options > Advanced > XSS)

I can log in irrespective of those settings.

ADDENDUM: Oh btw, is there anything that I can tell that bank's tech department

You can tell them that when using the SeaMonkey they state, "Our site may not work properly for the browser you're using." & that is total bogus BS on their part. (Browsers We Recommend)

You can tell them, eh...


My only (Temporarily) Allowed domain is, bankofamerica.com.
Bla! Seems Transfers now require, bac-assets.com.

I've been disabling the lower bottom setting for awhile now because other bank sites won't work with this lower XSS setting enabled) and been logging in but no I'm finding that the website won't finish logging out.

Which others?

as a test, I would...

create a new Profile
install only NoScript
disable all Plugins
restart browser

Test.

[is it coincidence that i have to confirm my "challenge" questions this morning?]

[lakrsrool]

There was nothing when I entered "window.name" in the "filter output" search, if that's what your asking me to do. If I'm misunderstanding please explain further.

I meant type Ctrl-Shift K -> a console should appear at the bottom of the browser window -> there is a prompt at the bottom of this console, enter there window.name (it might auto-complete it for you in part?).
But nvm this, I think we've answered the question:

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in qp=ci=4&dn=4b4f263cb21633d&pd=cid=6&d=e5uUWaTp3wcBRu%2B2s3ANwWqrcBzgalcud90skONtgrf82CNbd7yDhYjnxbTSRjZUObj7f3oY%2F%2FjI9yeGvr7GteBL%2BzSX%2BTi2ADAlzMv7abJgmsrw%2FW65tw2qenwdFDkFmNpc4AgcqkNxBoVwyGyq0ABWRyhF6BAEFEIJntfJi%2FFdveXDOu4Pcz%2F3Di7mTjHMV7uQp3hHPKTo3RRWPKqSBmo%2BRc6RJdlNw%2F9WdT0MCp9QfBtuKqEkOiHAWo%2BMcuFZnCzswwyn9GtxuDAPLTgJlW7CiUoYFXemaj0FyhCOF0ZNfNV8Z99%2BHASE4wH%2BaXL3dVx1w57dreoJ5qKY0YnEEg5iSCZUyLrtX3B4ywKc7Gvpg4AP9D10VUVhMC%2B3H%2B5wv5zdi14k5L5tm1cqEEwdJ%2BDk4LjPkDPiybe5mvxE%2FyVAqs0ElXjgWdjh4%2Fo4%2FCG633JkRHpCoJrQA%2FwkOUkMJZl1b7ykn8ccB4%2FVJDye7UFwHCRGnc6MiK90VtJWYb5EtZWYYG8v1yThM%2BUpQlNTjJR1vDCsGe9EDze0nxgMqtD4MfqK6MWUKJHEJh2iVSXTq8hgH31NwUOr%2FxvebRiZlAl71xekSSu%2Bviqj648g%2B5U6L7jhBCfHKFZOf2aviBlPug4PdCDG4st5GUqgp7vGUF51wG32I0lsPlQlLmv3mIfu%2FLQkjaIhqPovbEi4Pb%2BM1mbE4Jz3eoTqEw5D%2BuOBsqgNCQG4bCeo6sG9GmfbSN05UCLyh6gnxTMYCuT89kommL242TxJoHMeTt8zTvYjdUhf4GM9Lmi%2B6N1Nys7mKImILUKbKBnqrR%2FsffB218mPgx%2FfvmkkdTgUlCP9
[NoScript XSS]: sanitized window.name, "qp=ci%3D4%26dn%3D4b4f263cb21633d&pd=cid%3D6%26d%3De5uUWaTp3wcBRu%252B2s3ANwWqrcBzgalcud90skONtgrf82CNbd7yDhYjnxbTSRjZUObj7f3oY%252F%252FjI9yeGvr7GteBL%252BzSX%252BTi2ADAlzMv7abJgmsrw%252FW65tw2qenwdFDkFmNpc4AgcqkNxBoVwyGyq0ABWRyhF6BAEFEIJntfJi%252FFdveXDOu4Pcz%252F3Di7mTjHMV7uQp3hHPKTo3RRWPKqSBmo%252BRc6RJdlNw%252F9WdT0MCp9QfBtuKqEkOiHAWo%252BMcuFZnCzswwyn9GtxuDAPLTgJlW7CiUoYFXemaj0FyhCOF0ZNfNV8Z99%252BHASE4wH%252BaXL3dVx1w57dreoJ5qKY0YnEEg5iSCZUyLrtX3B4ywKc7Gvpg4AP9D10VUVhMC%252B3H%252B5wv5zdi14k5L5tm1cqEEwdJ%252BDk4LjPkDPiybe5mvxE%252FyVAqs0ElXjgWdjh4%252Fo4%252FCG633JkRHpCoJrQA%252FwkOUkMJZl1b7ykn8ccB4%252FVJDye7UFwHCRGnc6MiK90VtJWYb5EtZWYYG8v1yThM%252BUpQlNTjJR1vDCsGe9EDze0nxgMqtD4MfqK6MWUKJHEJh2iVSXTq8hgH31NwUOr%252FxvebRiZlAl71xekSSu%252Bviqj648g%252B5U6L7jhBCfHKFZOf2aviBlPug4PdCDG4st5GUqgp7vGUF51wG32I0lsPlQlLmv3mIfu%252FLQkjaIhqPovbEi4Pb%252BM1mbE4Jz3eoTqEw5D%252BuOBsqgNCQG4bCeo6sG9GmfbSN05UCLyh6gnxTMYCuT89kommL242TxJoHMeTt8zTvYjdUhf4GM9Lm
https://roll.bankofamerica.com/boaa/ghb3.html?
about:blank

OK so NoScript tampering with window.name is indeed the issue. But something about that window.name looks so familiar, in a context nothing to do with BoA...
Ah, this: viewtopic.php?p=78346#p78346
See if anything in that thread is useful here?

To go back to this question:

ADDENDUM: Oh btw, is there anything that I can tell that bank's tech department to change to help it to be more compatible with NoScript? I ask this because this was not a problem before.

Looks like there is more testing to be done before doing anything along these lines, but if it comes to this you would tell them to never use window.name to pass data across sites because other sites can steal and/or manipulate its contents. (Don't know if a sessionStorage entry could work for them here rather than window.name, in browsers that support sessionStorage?)

I think maybe you wanted me to add "^http://.*" to the "NoRedirect"

No I really meant .* as we want to match *everything* not just plain http sites.

OK, this is with the TOP XSS enabled in order to test:

Your INSTRUCTION 1) done correctly: Entering "window.name" where you wanted it in the console I got the following:

The character encoding of the plain text document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the file needs to be declared in the transfer protocol or file needs to use a byte order mark as an encoding signature. signOnV2.go

with console open I was redirected to this site:
https://www.bankofamerica.com/?TYPE=335 ... 26bcIP%3dF

In the console the website hangs at this point (continues after that with what would be expected):
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] images.cardlytics.com
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://streak.bankofamerica.com/30306/I3n.js. (Reason: CORS header 'Access-Control-Allow-Origin' does not match 'https://www.bankofamerica.com'). <unknown>
A call to document.write() from an asynchronously-loaded external script was ignored. pipad-ao-coremetrics-jawr.js:1:0
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] MLMachineRegCreationPage.aspx
DEBUG:simpleDeploy init deploy2.asp:63:4
DEBUG:simpleDeploy setup


Your INSTRUCTION 2) done correctly: Using "NoRedirect" and entering what you wanted me to do ".*" the website is redirected to the following:

1) LOGGING IN: https://secure.bankofamerica.com/myacco ... lse&bcIP=F

2) LOGGING OUT: https://www.bankofamerica.com/homepage/ ... cale=en_us It's worth noting that when I click on this redirect logging off then there is NO HANG like there is without "NoRedirect" setup to display the redirected links. (not the case however logging in unfortunately, it still hangs for ~40 seconds every time)

Both links hang up, the first (when logging on) for about 40 seconds locking up the entire computer, the second (logging off) forever just hangs with message to "wait" however only the website (that specific browser tab) is impacted as the entire computer is not locked up.

The only way to avoid all of this (hanging computer) is to disable the two XSS options. (as I said I had disabled the BOTTOM XSS option previously because other bank website fail to properly perform some functions with this bottom option enabled). Now for BofA just to login in and out I have to disable the TOP XSS option as well. Which of course is GLOBALLY impacted so I get no benefit from the NoScript XSS protection at all as a result.

Oh, btw the other forum thread link doesn't really help, it involved Euro banks that were having similar problems globally, but no real answers provided specific to my issue.

Oh and thanks for all the help!!!

[Ashcan]

I find I have the same messages out of the console and the same hangs with BofA in logging in. Not that this helps, but I just finally gave up trying to find the problem and use Safe Mode in Firefox, log in, do my BofA biz, log out, and then restart the browser. So it's not just you; it seems to have hit everybody using NoScript and BofA.

It should be worth noting that they plan to change things up again soon (I'm sure you've seen the promos for the "new coming website"), so one wonders if that will fix things or make things worse.

[lakrsrool]

I find I have the same messages out of the console and the same hangs with BofA in logging in. Not that this helps, but I just finally gave up trying to find the problem and use Safe Mode in Firefox, log in, do my BofA biz, log out, and then restart the browser. So it's not just you; it seems to have hit everybody using NoScript and BofA.

It should be worth noting that they plan to change things up again soon (I'm sure you've seen the promos for the "new coming website"), so one wonders if that will fix things or make things worse.

Thanks for your input, it's always sort of reassuring that what I'm experiencing is confirmed by others that are having the very same issues.

I've called their tech support and informed them that ever since they changed their login page (they used to have a security picture step in the login that they did away with) that the ability to protect against Cross-Site Scripting (XSS) vulnerabilities has been denied users unless they want to wait for 40 seconds of computer hang when logging in (and never really be able to log off). In regards to either the old login page or an alternate, they said there is no alternate login page available. They told me they'd look into this, for what that's worth.

I sort of wish these corporate execs who try and find ways to give their tech personnel (computer programmers) something to do would just leave things alone if it works already. It always seems that making changes cause unintended consequences and can even creating more security vulnerabilities than before unfortunately.

If you're interested in making it easier for yourself instead of resorting to "Safe Mode" (which is bypassing NoScript and is why it works as far as avoiding the login hang) you can disable the XSS options in the "Advanced" tab of NoScript "options" for now which will solve the hang problems caused by all of the link redirects that BofA is doing that results in the login and logout problems users are having that use NoScript Anti-XSS protection. This is what I'm doing for now. I had already disabled the lower XXS setting in the past because some of the functions for other banks would not work with this setting enabled. So now I've got both Anti-XSS protection options disable and unfortunately the setting is impacted GLOBALLY, but it's unavoidable in order to allow some of these bank websites to work properly.

It would be nice if NoScript could provide an "EASY" way to have a website "exception" list for the Anti-XSS settings (instead of having to be a technician to understand how do do this) so that the setting could be website specific as opposed to a GLOBAL setting.

[therube]

it seems to have hit everybody using NoScript and BofA.

Wrong.

[lakrsrool]

it seems to have hit everybody using NoScript and BofA.

Wrong.

Technically... OK, but it IS correct to say that everybody using the NoScript "Anti-XSS protection" settings (enabled) and BofA ARE impacted. (if this were not the case then those that this is not true for have a resolution to the problem of using the NoScript "Anti-XSS protection" in this specific case at hand of course , which as we know is currently not the case ).