SOLVED - Problems using No Script with Bank of America site

[lakrsrool]

Finally.... I've SOLVED THE HANG PROBLEM!!! (the problem is that the NoScript XXS protection hangs on site - https://roll.bankofamerica.com/, details below)

I was going to try disabling the Avast Webshield (good idea of yours because this shield can cause problems sometimes). But before I did that I thought I'd monitor the Webshield activity logging into BofA one more time (this is where I got the other Anti-XXS Protection Exceptions I had entered in NoScript and I noticed 3 more sites that were scanned by the Avast Webshield).

The three new ones I hadn't noticed before that were scanned were:
^http://s2.symcb.com/.*
^http://st.symcd.com/.*
^https://roll.bankofamerica.com/.*

So I added these three sites to the NoScript Anti_XXS protection Exceptions list and WOWEE NO MORE HANG!!!

So figuring that probably only one of these 3 are what was causing the NoScript XXS problem that was causing my computer to lock up I took an educated guess that the hang was probably caused by the third one on that list "roll.bankofamerica.com" as the "roll." made me suspicious as it suggests "rolling" out another link in my mind anyway.

Sure enough, it was the ^https://roll.bankofamerica.com/.* site that was causing the HANG!!!

So as it turns out it was Avast that helped me to find this problem site that results in the XXS protection in NoScript to HANG the computer for awhile.

When I tested for redirects using the "NoRedirect" add-on in Firefox the add-on only came up with one or maybe two sites that were involved logging into the BofA web site. However monitoring the statistics in Avast as far as what Avast is scanning during the BofA login I find many more than just ONE site (more like at least 9 sites get scanned by Avast) that is involved in the BofA login. So apparently "NoRedirect" will not provide all the intermediary site activity (like I thought it would) but thanks to Avast I was able to determine the one site that causes problems with XXS protection in NoScript and thus solved the problem logging in to BofA using the NoScript Anti-XXS feature.

More specifically the BofA hang was directly due to ONLY the "Sanitize cross-site suspicious request" XXS (upper) setting actually.

If you recall I had already disabled the lower XSS setting "Turn cross-site POST requests into data-less GET requests", because some of my other bank account web site would not work properly for specific website functions. Now that I know I can determine what is actually involved with these other banks by watching what the Avast Webshield scans for these bank functions causing the problem (usually what happens is I get logged out trying to do a function like for example viewing a check if XSS protecion for the lower setting is enabled) I can determine what to add in the XXS exclusions list in NoScript which in turn will allow me to once again enable the lower XXS protection setting that I've currently got disabled because of the issues with using XXS protection for these other banks.

All this time I had been depending upon the "NoRedirect" add-on to provide me with all sites involved that could be added to the NoScript XXS exclusion list but unfortunately I wasn't given enough data by "NoRedirect", thankfully I'm able to view all sites scanned in Avast which provides me with the information I need to be able to "exclude" from XXS protection to allow these bank websites to work properly. This will take some time however so I'll be getting to all that later.

I will say that I'm very happy to know now that NoScript IS actually "excluding" what is on the "Exclusion" list as would be expected since adding that one site that the Avast scan gave me to the XXS exclusion list solved my issue with the BofA login (I started wondering if the XXS "exclusion" list function in NoScript was even working)

Thanks a lot therube and of course everyone else as well for ALL your help on this topic, it's very much appreciated

To help others with similar problems, perhaps once I determine all the bank sites that have problems using the XXS protection in NoScript I can provide a list of all these problem sites that need to be "excluded" from XXS protection to allow the bank sites to function properly.

[lakrsrool]

In CONCLUSION using XXS PROTECTION in NoScript with respect to TWO BANKS:

1) For Bank of America with presumably a linked brokerage account as a possible qualifier the checking account web page may hang either loading the initial page when logging in or linking to the page from a linked brokerage account in the event that either the upper XXS protection setting "Sanitize cross-site suspicious request" and/or the lower XSS protection setting "Turn cross-site POST requests into data-less GET requests" are enabled in NoScript.

RESOLUTION: Adding ^https://roll\.bankofamerica\.com/.* to the Anti-XXS Protection Exceptions list in NoScript will resolve the hang problem (Options: Advanced/XXS tabs)


2) For Union Bank some functions (one of which is the "statements" function) will fail to work resulting in a logoff of the login session. Having the lower XSS protection setting "Turn cross-site POST requests into data-less GET requests" enabled in NoScript will cause this event.

RESOLUTION: Adding ^https://sso\.unionbank\.com/.* to the Anti-XXS Protection Exceptions list in NoScript will resolve the logging out of the account when the impacted functions are used. (Options: Advanced/XXS tabs)


Note: US Bank has apparently improved their web site as I was unable to duplicate any of the past issues that had occurred previously. (On a side note, I guess they're trying to pay for their Website upgrade in a sly way as I've noticed that they are now selectively charging $3.00 per transfer of external funds OUT of the bank , on the other hand, there is no charge for transfers of external funds INTO the bank of course )

[Thrawn]

It's good that you've found the problem . Are there any further details in the Browser Console to tell you what requests are actually filtered?

You might also want to use an ABE rule to hinder other sites from trying to exploit them, eg:

Code: Select all

Site .roll.bankofamerica.com
Accept from .bankofamerica.com
Deny

Site .sso.unionbank.com
Accept from .unionbank.com
Deny

[lakrsrool]

Thanks Thrawn for providing that ABE information, I really appreciate it.

Actually now that you've mentioned it in regards to Union Bank, I was not able to determine the site that needed to be blocked using the Avast scanning statistics as I had with the BofA site as nothing was being scanned when the Union Bank website failed and logged me out due to the XXS setting problem in NoScript. Presumably what was done was internal to the website leaving the NoScript "console" the only resource available to me to get the information I needed. So ultimately I actually ended up gleaning the web site to use in the Anti-XXS Protection Exceptions list from the console data. Searching the data I found the URL "https://sso.unionbank.com" that solved the problem involving the XXS protection setting that was causing the website to fail and logoff. So the console data came in handy for sure in this case. Incidentally the BofA issue did not provide any console information but fortunately I was able to finally determine the problem site in this case from the Avast scanning stats. I'm not at all familiar with any of this stuff, but was able to use the data to at least come up with a URL to try out in the XXS Protection Exceptions list that worked to solve the problem. I have to say, that I'm basically "flying by the seat of my pants" here so to speak, since most of this stuff is not really familiar to me and it's been largely a "trial and error" situation for me in many ways. I am pleased that I was able to figure out what sites needed to be excluded in the "exceptions" list for XXS so that I am able to continue to use this source of security provided by NoScript as opposed to losing this level of security globally.

Below is the "Console Data" that I used to come up with the "exception" to use in NoScript XXS, if there's anything else in there that is helpful then feel free to post anything that might be helpful.

Thanks very much for that "ABE" rule stuff, I'm not at all familiar with this either and will have to read up on it, but for now I've added what you provided in your post to the ABE "Rulesets" box of which there was nothing there at the time. Again, I thank you very much for that.

I have to say much of this stuff is very esoteric, as I'm not sure how the "typical" user would know anything about how to add this as you've provided here:

Code: Select all

Site .roll.bankofamerica.com
Accept from .bankofamerica.com
Deny

Site .sso.unionbank.com
Accept from .unionbank.com
Deny

I have to ask, how would a "typical" user know the specific syntax and format to use for the entries in an ABE "ruleset" such as beginning with "Site" and including the "Accept from" line and finally the "Deny" not to mention the rest?

I've superficially checked out the webpage ABE - Application Boundaries Enforcer utilizing the "?" link provided in the "Options" > "Advanced" > "ABE" tab but I have to tell you this stuff is way over the head of the average user obviously. I'm a retired (long ago) computer programmer and current software support global moderator on another support site but even with my background I have to say I've really got very little clue about a lot of this stuff to be honest and to be fair it would take someone quit a bit of time and research to get up to just minimal speed to acquire even some basic knowledge about a lot of this.

I get the idea what these Abe "rulesets do for me in this case is provide me with additional security to counter the reduced security that is the result of "excluding" these sites in XSS so that by adding this to ABE the essentially "lost" or the virtual "hole" left in the security as a result of these XSS exclusions is compensated for by adding these "rulesets" in ABE. And that while we can hopefully trust these websites that I've excluded, by "excluding" them it leaves an opportunity for other unscrupulous sites to take advantage of perhaps. At least this is my understanding, but that said I personally would have NEVER known how to add these "rulesets" you've been so considerate to provide here.

Here is the CONSOLE DATA I used to find the site to try in the XXS exclude for Union Bank (in bold, cannot color tag) for what it's worth:

Code: Select all

Warning: attempting to write 5070 bytes to preference extensions.disconnect.blockedRequests. This is bad for general performance and memory usage. Such an amount of data should rather be written to an external file.
A form was submitted in the windows-1252 encoding which cannot encode all Unicode characters, so user input may get corrupted. To avoid this problem, the page should be changed so that the form is submitted in the UTF-8 encoding either by changing the encoding of the page itself to UTF-8 or by specifying accept-charset=utf-8 on the form element. eluminate.js:1:0
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] urlinfo
A form was submitted in the windows-1252 encoding which cannot encode all Unicode characters, so user input may get corrupted. To avoid this problem, the page should be changed so that the form is submitted in the UTF-8 encoding either by changing the encoding of the page itself to UTF-8 or by specifying accept-charset=utf-8 on the form element. preimage.view:26:0
[NoScript InjectionChecker] JavaScript Injection in ##<map><entry><string>FPREQ_COUNTRY</string><string>United States</string></entry><entry><string>HRT_USER_FIRST_NAME</string></entry><entry><string>HRT_TRANSACTION_DATE_TIME</string><string>2015-09-01 13:29:28.028</string></entry><entry><string>FPREQ_SYSTEM_LANGUAGE</string></entry><entry><string>FPREQ_USER_AGENT</string><string>Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0</string></entry><entry><string>FPREQ_ACCEPT_LANGUAGE</string><string>en-US,en;q=0.5</string></entry><entry><string>HRT_PTT_OPEN_DATE</string><string>2005-04-19</string></entry><entry><string>FPREQ_REFERER</string><string>https://bankingsso.unionbank.com/detail/detail.view?selectedAccountCode=0000</string></entry><entry><string>HRT_REQUEST_ID</string><string>B@H1a676615-5afd-4852-9a0d-f5cbc50d6826</string></entry><entry><string>FPREQ_REMOTE_ADDR</string><string>108.89.80.37</string></entry><entry><string>HRT_USER_LAST_NAME</string></entry><entry><string>HRT_LOGIN_NAME</string></entry><entry><string>HRT_TRANSACTION_KEY</string></entry><entry><string>FPREQ_USER_LANGUAGE</string></entry><entry><string>FPREQ_DEVICE_PRINT</string><string>version=2&pm_fpua=mozilla/5.0 (windows nt 6.1; wow64; rv:40.0) gecko/20100101 firefox/40.0|5.0 (Windows)|Win32&pm_fpsc=24|1600|900|860&pm_fpsw=pdf|pdf|qt4|qt1|qt3|qt2|qt5|dsw&pm_fptz=-7&pm_fpln=lang=en-US|syslang=|userlang=&pm_fpjv=1&pm_fpco=1&pm_fpasw=nppdf32|nppdf32|npqscan|npgeplugin|npgoogleupdate3|npdeployjava1|npjp2|npauthz|npspwrap|npspwrap|npqtplugin4|npqtplugin|npqtplugin3|npqtplugin2|npqtplugin5|npswf32_18_0_0_232|np32dsw|npctrl|npvlc|npwlpg&pm_fpan=Netscape&pm_fpacn=Mozilla&pm_fpol=true&pm_fposp=&pm_fpup=&pm_fpsaw=1600&pm_fpspd=24&pm_fpsbd=&pm_fpsdx=&pm_fpsdy=&pm_fpslx=&pm_fpsly=&pm_fpsfse=&pm_fpsui=</string></entry><entry><string>ORMREQ_APP_ID</string><string>B@H</string></entry><entry><string>FPREQ_USER_COOKIE</string><string>108.89.80.37|1414963560302|0.0729898952474769</string></entry><entry><string>HRT_CUSTOMER_SEGMENT_TYPE</string></entry><entry><string>FPREQ_OTHER</string><string>gzip, deflate|null|vHmlMxVIdw-WwMA-cYiamQ__.banking-app06</string></entry><entry><string>FPREQ_ACCEPT</string><string>text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</string></entry><entry><string>HRT_SESSION_ID</string></entry><entry><string>HRT_EVENT_DATA_LIST</string><list><map><entry><string>HRT_TRX_COUNTER</string></entry><entry><string>HRT_TRX_KEY</string></entry></map></list></entry></map>
[NoScript XSS] Sanitized suspicious upload to [[b]https://sso.unionbank.com/[/b]HRTInvocationServlet###DATA###%3Cmap%3E%3Centry%3E%3Cstring%3EFPREQ_COUNTRY%3C%2Fstring%3E%3Cstring%3EUnited+States%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_USER_FIRST_NAME%3C%2Fstring%3E%3Cstring%3EMichael%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_TRANSACTION_DATE_TIME%3C%2Fstring%3E%3Cstring%3E2015-09-01+13%3A29%3A28.028%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_SYSTEM_LANGUAGE%3C%2Fstring%3E%3Cstring%3EEnglish%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_USER_AGENT%3C%2Fstring%3E%3Cstring%3EMozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%3B+rv%3A40.0%29+Gecko%2F20100101+Firefox%2F40.0%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_ACCEPT_LANGUAGE%3C%2Fstring%3E%3Cstring%3Een-US%2Cen%3Bq%3D0.5%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_PTT_OPEN_DATE%3C%2Fstring%3E%3Cstring%3E2005-04-19%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_REFERER%3C%2Fstring%3E%3Cstring%3Ehttps%3A%2F%2Fbankingsso.unionbank.com%2Fdetail%2Fdetail.view%3FselectedAccountCode%3D0000%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_REQUEST_ID%3C%2Fstring%3E%3Cstring%3EB%40H1a676615-5afd-4852-9a0d-f5cbc50d6826%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_REMOTE_ADDR%3C%2Fstring%3E%3Cstring%3E108.89.80.37%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_USER_LAST_NAME%3C%2Fstring%3E%3Cstring%3ESegesman%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_LOGIN_NAME%3C%2Fstring%3E%3Cstring%3Emichaeljohn47%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_TRANSACTION_KEY%3C%2Fstring%3E%3Cstring%3E301%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_USER_LANGUAGE%3C%2Fstring%3E%3Cstring%3EEnglish%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_DEVICE_PRINT%3C%2Fstring%3E%3Cstring%3Eversion%3D2%26amp%3Bpm_fpua%3Dmozilla%2F5.0+%28windows+nt+6.1%3B+wow64%3B+rv%3A40.0%29+gecko%2F20100101+firefox%2F40.0%7C5.0+%28Windows%29%7CWin32%26amp%3Bpm_fpsc%3D24%7C1600%7C900%7C860%26amp%3Bpm_fpsw%3Dpdf%7Cpdf%7Cqt4%7Cqt1%7Cqt3%7Cqt2%7Cqt5%7Cdsw%26amp%3Bpm_fptz%3D-7%26amp%3Bpm_fpln%3Dlang%3Den-US%7Csyslang%3D%7Cuserlang%3D%26amp%3Bpm_fpjv%3D1%26amp%3Bpm_fpco%3D1%26amp%3Bpm_fpasw%3Dnppdf32%7Cnppdf32%7Cnpqscan%7Cnpgeplugin%7Cnpgoogleupdate3%7Cnpdeployjava1%7Cnpjp2%7Cnpauthz%7Cnpspwrap%7Cnpspwrap%7Cnpqtplugin4%7Cnpqtplugin%7Cnpqtplugin3%7Cnpqtplugin2%7Cnpqtplugin5%7Cnpswf32_18_0_0_232%7Cnp32dsw%7Cnpctrl%7Cnpvlc%7Cnpwlpg%26amp%3Bpm_fpan%3DNetscape%26amp%3Bpm_fpacn%3DMozilla%26amp%3Bpm_fpol%3Dtrue%26amp%3Bpm_fposp%3D%26amp%3Bpm_fpup%3D%26amp%3Bpm_fpsaw%3D1600%26amp%3Bpm_fpspd%3D24%26amp%3Bpm_fpsbd%3D%26amp%3Bpm_fpsdx%3D%26amp%3Bpm_fpsdy%3D%26amp%3Bpm_fpslx%3D%26amp%3Bpm_fpsly%3D%26amp%3Bpm_fpsfse%3D%26amp%3Bpm_fpsui%3D%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EORMREQ_APP_ID%3C%2Fstring%3E%3Cstring%3EB%40H%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_USER_COOKIE%3C%2Fstring%3E%3Cstring%3E108.89.80.37%7C1414963560302%7C0.0729898952474769%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_CUSTOMER_SEGMENT_TYPE%3C%2Fstring%3E%3Cstring%3ER%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_OTHER%3C%2Fstring%3E%3Cstring%3Egzip%2C+deflate%7Cnull%7CvHmlMxVIdw-WwMA-cYiamQ__.banking-app06%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_ACCEPT%3C%2Fstring%3E%3Cstring%3Etext%2Fhtml%2Capplication%2Fxhtml%2Bxml%2Capplication%2Fxml%3Bq%3D0.9%2C*%2F*%3Bq%3D0.8%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_SESSION_ID%3C%2Fstring%3E%3Cstring%3E128862341%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_EVENT_DATA_LIST%3C%2Fstring%3E%3Clist%3E%3Cmap%3E%3Centry%3E%3Cstring%3EHRT_TRX_COUNTER%3C%2Fstring%3E%3Cstring%3E1%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_TRX_KEY%3C%2Fstring%3E%3Cstring%3E301%3C%2Fstring%3E%3C%2Fentry%3E%3C%2Fmap%3E%3C%2Flist%3E%3C%2Fentry%3E%3C%2Fmap%3E] from [https://bankingsso.unionbank.com/detail/preimage.view]: transformed into a download-only GET request.
Warning: attempting to write 5070 bytes to preference extensions.disconnect.blockedRequests. This is bad for general performance and memory usage. Such an amount of data should rather be written to an external file.
Warning: attempting to write 5070 bytes to preference extensions.disconnect.blockedRequests. This is bad for general performance and memory usage. Such an amount of data should rather be written to an external file.
SyntaxError: unreachable code after return statement jquery-1.3.2.min.js:19:13091
Warning: attempting to write 5070 bytes to preference extensions.disconnect.blockedRequests. This is bad for general performance and memory usage. Such an amount of data should rather be written to an external file.
Warning: attempting to write 5070 bytes to preference extensions.disconnect.blockedRequests. This is bad for general performance and memory usage. Such an amount of data should rather be written to an external file.
Warning: attempting to write 5070 bytes to preference extensions.disconnect.blockedRequests. This is bad for general performance and memory usage. Such an amount of data should rather be written to an external file.
Warning: attempting to write 5070 bytes to preference extensions.disconnect.blockedRequests. This is bad for general performance and memory usage. Such an amount of data should rather be written to an external file.
Warning: attempting to write 5070 bytes to preference extensions.disconnect.blockedRequests. This is bad for general performance and memory usage. Such an amount of data should rather be written to an external file.
A form was submitted in the windows-1252 encoding which cannot encode all Unicode characters, so user input may get corrupted. To avoid this problem, the page should be changed so that the form is submitted in the UTF-8 encoding either by changing the encoding of the page itself to UTF-8 or by specifying accept-charset=utf-8 on the form element. eluminate.js:1:0
TelemetryStopwatch: key "FX_PAGE_LOAD_MS" was already initialized TelemetryStopwatch.jsm:52:0
SyntaxError: unreachable code after return statement ad.views.20150721.js:1097:8
SyntaxError: unreachable code after return statement ad.views.20150721.js:3290:8
Warning: attempting to write 5070 bytes to preference extensions.disconnect.blockedRequests. This is bad for general performance and memory usage. Such an amount of data should rather be written to an external file.
Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help http://xhr.spec.whatwg.org/ jquery.min.20150721.js:4:0
SyntaxError: unreachable code after return statement ad.views.20150721.js:3290:8
Warning: attempting to write 5070 bytes to preference extensions.disconnect.blockedRequests. This is bad for general performance and memory usage. Such an amount of data should rather be written to an external file.
A form was submitted in the windows-1252 encoding which cannot encode all Unicode characters, so user input may get corrupted. To avoid this problem, the page should be changed so that the form is submitted in the UTF-8 encoding either by changing the encoding of the page itself to UTF-8 or by specifying accept-charset=utf-8 on the form element. eluminate.js:1:0
A form was submitted in the windows-1252 encoding which cannot encode all Unicode characters, so user input may get corrupted. To avoid this problem, the page should be changed so that the form is submitted in the UTF-8 encoding either by changing the encoding of the page itself to UTF-8 or by specifying accept-charset=utf-8 on the form element. preimage.view:26:0
TelemetryStopwatch: key "FX_PAGE_LOAD_MS" was already initialized TelemetryStopwatch.jsm:52:0
[NoScript InjectionChecker] JavaScript Injection in ##<map><entry><string>FPREQ_COUNTRY</string><string>United States</string></entry><entry><string>HRT_USER_FIRST_NAME</string></entry><entry><string>HRT_TRANSACTION_DATE_TIME</string><string>2015-09-01 13:33:37.037</string></entry><entry><string>FPREQ_SYSTEM_LANGUAGE</string></entry><entry><string>FPREQ_USER_AGENT</string><string>Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0</string></entry><entry><string>FPREQ_ACCEPT_LANGUAGE</string><string>en-US,en;q=0.5</string></entry><entry><string>HRT_PTT_OPEN_DATE</string><string>2005-04-19</string></entry><entry><string>FPREQ_REFERER</string><string>https://bankingsso.unionbank.com/detail/detail.view?selectedAccountCode=0000</string></entry><entry><string>HRT_REQUEST_ID</string><string>B@H09caba81-4033-4c84-87eb-3718ff801a70</string></entry><entry><string>FPREQ_REMOTE_ADDR</string><string>108.89.80.37</string></entry><entry><string>HRT_USER_LAST_NAME</string></entry><entry><string>HRT_LOGIN_NAME</string></entry><entry><string>HRT_TRANSACTION_KEY</string></entry><entry><string>FPREQ_USER_LANGUAGE</string></entry><entry><string>FPREQ_DEVICE_PRINT</string><string>version=2&pm_fpua=mozilla/5.0 (windows nt 6.1; wow64; rv:40.0) gecko/20100101 firefox/40.0|5.0 (Windows)|Win32&pm_fpsc=24|1600|900|860&pm_fpsw=pdf|pdf|qt4|qt1|qt3|qt2|qt5|dsw&pm_fptz=-7&pm_fpln=lang=en-US|syslang=|userlang=&pm_fpjv=1&pm_fpco=1&pm_fpasw=nppdf32|nppdf32|npqscan|npgeplugin|npgoogleupdate3|npdeployjava1|npjp2|npauthz|npspwrap|npspwrap|npqtplugin4|npqtplugin|npqtplugin3|npqtplugin2|npqtplugin5|npswf32_18_0_0_232|np32dsw|npctrl|npvlc|npwlpg&pm_fpan=Netscape&pm_fpacn=Mozilla&pm_fpol=true&pm_fposp=&pm_fpup=&pm_fpsaw=1600&pm_fpspd=24&pm_fpsbd=&pm_fpsdx=&pm_fpsdy=&pm_fpslx=&pm_fpsly=&pm_fpsfse=&pm_fpsui=</string></entry><entry><string>ORMREQ_APP_ID</string><string>B@H</string></entry><entry><string>FPREQ_USER_COOKIE</string><string>108.89.80.37|1414963560302|0.0729898952474769</string></entry><entry><string>HRT_CUSTOMER_SEGMENT_TYPE</string></entry><entry><string>FPREQ_OTHER</string><string>gzip, deflate|null|-sE53LDttmt8UK+Tm-eZww__.banking-app06</string></entry><entry><string>FPREQ_ACCEPT</string><string>text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</string></entry><entry><string>HRT_SESSION_ID</string></entry><entry><string>HRT_EVENT_DATA_LIST</string><list><map><entry><string>HRT_TRX_COUNTER</string></entry><entry><string>HRT_TRX_KEY</string></entry></map></list></entry></map>
[NoScript XSS] Sanitized suspicious upload to [[b]https://sso.unionbank.com/[/b]HRTInvocationServlet###DATA###%3Cmap%3E%3Centry%3E%3Cstring%3EFPREQ_COUNTRY%3C%2Fstring%3E%3Cstring%3EUnited+States%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_USER_FIRST_NAME%3C%2Fstring%3E%3Cstring%3EMichael%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_TRANSACTION_DATE_TIME%3C%2Fstring%3E%3Cstring%3E2015-09-01+13%3A33%3A37.037%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_SYSTEM_LANGUAGE%3C%2Fstring%3E%3Cstring%3EEnglish%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_USER_AGENT%3C%2Fstring%3E%3Cstring%3EMozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%3B+rv%3A40.0%29+Gecko%2F20100101+Firefox%2F40.0%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_ACCEPT_LANGUAGE%3C%2Fstring%3E%3Cstring%3Een-US%2Cen%3Bq%3D0.5%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_PTT_OPEN_DATE%3C%2Fstring%3E%3Cstring%3E2005-04-19%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_REFERER%3C%2Fstring%3E%3Cstring%3Ehttps%3A%2F%2Fbankingsso.unionbank.com%2Fdetail%2Fdetail.view%3FselectedAccountCode%3D0000%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_REQUEST_ID%3C%2Fstring%3E%3Cstring%3EB%40H09caba81-4033-4c84-87eb-3718ff801a70%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_REMOTE_ADDR%3C%2Fstring%3E%3Cstring%3E108.89.80.37%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_USER_LAST_NAME%3C%2Fstring%3E%3Cstring%3ESegesman%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_LOGIN_NAME%3C%2Fstring%3E%3Cstring%3Emichaeljohn47%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_TRANSACTION_KEY%3C%2Fstring%3E%3Cstring%3E301%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_USER_LANGUAGE%3C%2Fstring%3E%3Cstring%3EEnglish%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_DEVICE_PRINT%3C%2Fstring%3E%3Cstring%3Eversion%3D2%26amp%3Bpm_fpua%3Dmozilla%2F5.0+%28windows+nt+6.1%3B+wow64%3B+rv%3A40.0%29+gecko%2F20100101+firefox%2F40.0%7C5.0+%28Windows%29%7CWin32%26amp%3Bpm_fpsc%3D24%7C1600%7C900%7C860%26amp%3Bpm_fpsw%3Dpdf%7Cpdf%7Cqt4%7Cqt1%7Cqt3%7Cqt2%7Cqt5%7Cdsw%26amp%3Bpm_fptz%3D-7%26amp%3Bpm_fpln%3Dlang%3Den-US%7Csyslang%3D%7Cuserlang%3D%26amp%3Bpm_fpjv%3D1%26amp%3Bpm_fpco%3D1%26amp%3Bpm_fpasw%3Dnppdf32%7Cnppdf32%7Cnpqscan%7Cnpgeplugin%7Cnpgoogleupdate3%7Cnpdeployjava1%7Cnpjp2%7Cnpauthz%7Cnpspwrap%7Cnpspwrap%7Cnpqtplugin4%7Cnpqtplugin%7Cnpqtplugin3%7Cnpqtplugin2%7Cnpqtplugin5%7Cnpswf32_18_0_0_232%7Cnp32dsw%7Cnpctrl%7Cnpvlc%7Cnpwlpg%26amp%3Bpm_fpan%3DNetscape%26amp%3Bpm_fpacn%3DMozilla%26amp%3Bpm_fpol%3Dtrue%26amp%3Bpm_fposp%3D%26amp%3Bpm_fpup%3D%26amp%3Bpm_fpsaw%3D1600%26amp%3Bpm_fpspd%3D24%26amp%3Bpm_fpsbd%3D%26amp%3Bpm_fpsdx%3D%26amp%3Bpm_fpsdy%3D%26amp%3Bpm_fpslx%3D%26amp%3Bpm_fpsly%3D%26amp%3Bpm_fpsfse%3D%26amp%3Bpm_fpsui%3D%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EORMREQ_APP_ID%3C%2Fstring%3E%3Cstring%3EB%40H%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_USER_COOKIE%3C%2Fstring%3E%3Cstring%3E108.89.80.37%7C1414963560302%7C0.0729898952474769%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_CUSTOMER_SEGMENT_TYPE%3C%2Fstring%3E%3Cstring%3ER%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_OTHER%3C%2Fstring%3E%3Cstring%3Egzip%2C+deflate%7Cnull%7C-sE53LDttmt8UK%2BTm-eZww__.banking-app06%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_ACCEPT%3C%2Fstring%3E%3Cstring%3Etext%2Fhtml%2Capplication%2Fxhtml%2Bxml%2Capplication%2Fxml%3Bq%3D0.9%2C*%2F*%3Bq%3D0.8%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_SESSION_ID%3C%2Fstring%3E%3Cstring%3E1838822682%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_EVENT_DATA_LIST%3C%2Fstring%3E%3Clist%3E%3Cmap%3E%3Centry%3E%3Cstring%3EHRT_TRX_COUNTER%3C%2Fstring%3E%3Cstring%3E1%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_TRX_KEY%3C%2Fstring%3E%3Cstring%3E301%3C%2Fstring%3E%3C%2Fentry%3E%3C%2Fmap%3E%3C%2Flist%3E%3C%2Fentry%3E%3C%2Fmap%3E] from [https://bankingsso.unionbank.com/detail/preimage.view]: transformed into a download-only GET request.
Warning: attempting to write 5070 bytes to preference extensions.disconnect.blockedRequests. This is bad for general performance and memory usage. Such an amount of data should rather be written to an external file.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

[Thrawn]

I have to ask, how would a "typical" user know the specific syntax and format to use for the entries in an ABE "ruleset" such as beginning with "Site" and including the "Accept from" line and finally the "Deny" not to mention the rest?

By asking here .

If you're not sure of how to write ABE rules, then you probably shouldn't do it unsupervised. Even if you do know what you're doing, peer review is generally a good idea.

I get the idea what these Abe "rulesets do for me in this case is provide me with additional security to counter the reduced security that is the result of "excluding" these sites in XSS so that by adding this to ABE the essentially "lost" or the virtual "hole" left in the security as a result of these XSS exclusions is compensated for by adding these "rulesets" in ABE.

Basically, yes. It's not perfect, because IIRC correctly the site was putting junk in window.name, so there's still scope for other sites to tamper with it .

And that while we can hopefully trust these websites that I've excluded, by "excluding" them it leaves an opportunity for other unscrupulous sites to take advantage of perhaps. At least this is my understanding, but that said I personally would have NEVER known how to add these "rulesets" you've been so considerate to provide here.

That's what we're here for.

Here is the CONSOLE DATA I used to find the site to try in the XXS exclude for Union Bank (in bold, cannot color tag) for what it's worth:

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ##<map><entry><string>FPREQ_COUNTRY</string><string>United States</string></entry><entry><string>HRT_USER_FIRST_NAME</string></entry><entry><string>HRT_TRANSACTION_DATE_TIME</string><string>2015-09-01 13:29:28.028</string></entry><entry><string>FPREQ_SYSTEM_LANGUAGE</string></entry><entry><string>FPREQ_USER_AGENT</string><string>Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0</string></entry><entry><string>FPREQ_ACCEPT_LANGUAGE</string><string>en-US,en;q=0.5</string></entry><entry><string>HRT_PTT_OPEN_DATE</string><string>2005-04-19</string></entry><entry><string>FPREQ_REFERER</string><string>https://bankingsso.unionbank.com/detail/detail.view?selectedAccountCode=0000</string></entry><entry><string>HRT_REQUEST_ID</string><string>B@H1a676615-5afd-4852-9a0d-f5cbc50d6826</string></entry><entry><string>FPREQ_REMOTE_ADDR</string><string>108.89.80.37</string></entry><entry><string>HRT_USER_LAST_NAME</string></entry><entry><string>HRT_LOGIN_NAME</string></entry><entry><string>HRT_TRANSACTION_KEY</string></entry><entry><string>FPREQ_USER_LANGUAGE</string></entry><entry><string>FPREQ_DEVICE_PRINT</string><string>version=2&pm_fpua=mozilla/5.0 (windows nt 6.1; wow64; rv:40.0) gecko/20100101 firefox/40.0|5.0 (Windows)|Win32&pm_fpsc=24|1600|900|860&pm_fpsw=pdf|pdf|qt4|qt1|qt3|qt2|qt5|dsw&pm_fptz=-7&pm_fpln=lang=en-US|syslang=|userlang=&pm_fpjv=1&pm_fpco=1&pm_fpasw=nppdf32|nppdf32|npqscan|npgeplugin|npgoogleupdate3|npdeployjava1|npjp2|npauthz|npspwrap|npspwrap|npqtplugin4|npqtplugin|npqtplugin3|npqtplugin2|npqtplugin5|npswf32_18_0_0_232|np32dsw|npctrl|npvlc|npwlpg&pm_fpan=Netscape&pm_fpacn=Mozilla&pm_fpol=true&pm_fposp=&pm_fpup=&pm_fpsaw=1600&pm_fpspd=24&pm_fpsbd=&pm_fpsdx=&pm_fpsdy=&pm_fpslx=&pm_fpsly=&pm_fpsfse=&pm_fpsui=</string></entry><entry><string>ORMREQ_APP_ID</string><string>B@H</string></entry><entry><string>FPREQ_USER_COOKIE</string><string>108.89.80.37|1414963560302|0.0729898952474769</string></entry><entry><string>HRT_CUSTOMER_SEGMENT_TYPE</string></entry><entry><string>FPREQ_OTHER</string><string>gzip, deflate|null|vHmlMxVIdw-WwMA-cYiamQ__.banking-app06</string></entry><entry><string>FPREQ_ACCEPT</string><string>text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</string></entry><entry><string>HRT_SESSION_ID</string></entry><entry><string>HRT_EVENT_DATA_LIST</string><list><map><entry><string>HRT_TRX_COUNTER</string></entry><entry><string>HRT_TRX_KEY</string></entry></map></list></entry></map>
[NoScript XSS] Sanitized suspicious upload to [[b]https://sso.unionbank.com/[/b]HRTInvocationServlet###DATA###%3Cmap%3E%3Centry%3E%3Cstring%3EFPREQ_COUNTRY%3C%2Fstring%3E%3Cstring%3EUnited+States%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_USER_FIRST_NAME%3C%2Fstring%3E%3Cstring%3EMichael%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_TRANSACTION_DATE_TIME%3C%2Fstring%3E%3Cstring%3E2015-09-01+13%3A29%3A28.028%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_SYSTEM_LANGUAGE%3C%2Fstring%3E%3Cstring%3EEnglish%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_USER_AGENT%3C%2Fstring%3E%3Cstring%3EMozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%3B+rv%3A40.0%29+Gecko%2F20100101+Firefox%2F40.0%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_ACCEPT_LANGUAGE%3C%2Fstring%3E%3Cstring%3Een-US%2Cen%3Bq%3D0.5%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_PTT_OPEN_DATE%3C%2Fstring%3E%3Cstring%3E2005-04-19%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_REFERER%3C%2Fstring%3E%3Cstring%3Ehttps%3A%2F%2Fbankingsso.unionbank.com%2Fdetail%2Fdetail.view%3FselectedAccountCode%3D0000%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_REQUEST_ID%3C%2Fstring%3E%3Cstring%3EB%40H1a676615-5afd-4852-9a0d-f5cbc50d6826%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_REMOTE_ADDR%3C%2Fstring%3E%3Cstring%3E108.89.80.37%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_USER_LAST_NAME%3C%2Fstring%3E%3Cstring%3ESegesman%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_LOGIN_NAME%3C%2Fstring%3E%3Cstring%3Emichaeljohn47%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_TRANSACTION_KEY%3C%2Fstring%3E%3Cstring%3E301%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_USER_LANGUAGE%3C%2Fstring%3E%3Cstring%3EEnglish%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_DEVICE_PRINT%3C%2Fstring%3E%3Cstring%3Eversion%3D2%26amp%3Bpm_fpua%3Dmozilla%2F5.0+%28windows+nt+6.1%3B+wow64%3B+rv%3A40.0%29+gecko%2F20100101+firefox%2F40.0%7C5.0+%28Windows%29%7CWin32%26amp%3Bpm_fpsc%3D24%7C1600%7C900%7C860%26amp%3Bpm_fpsw%3Dpdf%7Cpdf%7Cqt4%7Cqt1%7Cqt3%7Cqt2%7Cqt5%7Cdsw%26amp%3Bpm_fptz%3D-7%26amp%3Bpm_fpln%3Dlang%3Den-US%7Csyslang%3D%7Cuserlang%3D%26amp%3Bpm_fpjv%3D1%26amp%3Bpm_fpco%3D1%26amp%3Bpm_fpasw%3Dnppdf32%7Cnppdf32%7Cnpqscan%7Cnpgeplugin%7Cnpgoogleupdate3%7Cnpdeployjava1%7Cnpjp2%7Cnpauthz%7Cnpspwrap%7Cnpspwrap%7Cnpqtplugin4%7Cnpqtplugin%7Cnpqtplugin3%7Cnpqtplugin2%7Cnpqtplugin5%7Cnpswf32_18_0_0_232%7Cnp32dsw%7Cnpctrl%7Cnpvlc%7Cnpwlpg%26amp%3Bpm_fpan%3DNetscape%26amp%3Bpm_fpacn%3DMozilla%26amp%3Bpm_fpol%3Dtrue%26amp%3Bpm_fposp%3D%26amp%3Bpm_fpup%3D%26amp%3Bpm_fpsaw%3D1600%26amp%3Bpm_fpspd%3D24%26amp%3Bpm_fpsbd%3D%26amp%3Bpm_fpsdx%3D%26amp%3Bpm_fpsdy%3D%26amp%3Bpm_fpslx%3D%26amp%3Bpm_fpsly%3D%26amp%3Bpm_fpsfse%3D%26amp%3Bpm_fpsui%3D%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EORMREQ_APP_ID%3C%2Fstring%3E%3Cstring%3EB%40H%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_USER_COOKIE%3C%2Fstring%3E%3Cstring%3E108.89.80.37%7C1414963560302%7C0.0729898952474769%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_CUSTOMER_SEGMENT_TYPE%3C%2Fstring%3E%3Cstring%3ER%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_OTHER%3C%2Fstring%3E%3Cstring%3Egzip%2C+deflate%7Cnull%7CvHmlMxVIdw-WwMA-cYiamQ__.banking-app06%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EFPREQ_ACCEPT%3C%2Fstring%3E%3Cstring%3Etext%2Fhtml%2Capplication%2Fxhtml%2Bxml%2Capplication%2Fxml%3Bq%3D0.9%2C*%2F*%3Bq%3D0.8%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_SESSION_ID%3C%2Fstring%3E%3Cstring%3E128862341%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_EVENT_DATA_LIST%3C%2Fstring%3E%3Clist%3E%3Cmap%3E%3Centry%3E%3Cstring%3EHRT_TRX_COUNTER%3C%2Fstring%3E%3Cstring%3E1%3C%2Fstring%3E%3C%2Fentry%3E%3Centry%3E%3Cstring%3EHRT_TRX_KEY%3C%2Fstring%3E%3Cstring%3E301%3C%2Fstring%3E%3C%2Fentry%3E%3C%2Fmap%3E%3C%2Flist%3E%3C%2Fentry%3E%3C%2Fmap%3E] from [https://bankingsso.unionbank.com/detail/preimage.view]: transformed into a download-only GET request.

That actually doesn't look too bad. They're definitely passing XML, but not HTML, and using a proper XMLHttpRequest rather than window.name. So this one's a legitimate false positive - and if they really are vulnerable, then the ABE rule above should be effective.

[therube]

I have multiple linked accounts, but no Merrill Edge.
(Might be able to scrounge one up.)

And I did.
No lag logging in, no lag switching to Merrill, no lag switching back to BoA.
Both XSS options are enabled.

From the bank end, the Merrill account (& balance) is listed, & when you click it it takes you to Merrill.

From the Merrill end, there is one small "Bank of America" link at the top of the page, that takes you back to the bank end.

[lakrsrool]

I have multiple linked accounts, but no Merrill Edge.
(Might be able to scrounge one up.)

And I did.
No lag logging in, no lag switching to Merrill, no lag switching back to BoA.
Both XSS options are enabled.

From the bank end, the Merrill account (& balance) is listed, & when you click it it takes you to Merrill.

From the Merrill end, there is one small "Bank of America" link at the top of the page, that takes you back to the bank end.

Yep, exactly how it works for me, but only by adding https://roll.bankofamerica.com to the Anti-XSS Protection Exceptions exclusion list. Thanks for checking on this, so it looks like my issue most likely has nothing to do with linked checking and brokerage accounts.

Why I need to exclude this site and you do not is of course a mystery to me. I would be curious if when you navigate the BofA website whether or not you in fact encounter the same https://roll.bankofamerica.com site which I encounter that I find I need to exclude from XXS protection to avoid the hang each time the checking account page gets loaded.

Any ideas?

Btw, do you have a way to check to see if you in fact are encountering the https://roll.bankofamerica.com site at the time your checking account page gets loaded in your browser?

What browser do you use? (removed remaining comments in this paragraph as this issue of course only applies to the NoScript add-on, I sometimes post without thinking and might be thinking of something else I might have been working with recently, but no excuse, my BAD)

I presume you're accessing BofA on the web internet site using a laptop, desktop etc (the same as I am) and not using an APP of some kind on a Iphone for example which could make a difference possibly.

Oh, btw I'm not concluding this could be the difference, but I have multiple (two) brokerage accounts (one joint, one individual). I have to say, it still sure seems to me that something unique exists between our two BofA accounts somewhere that may still be causing this, that is unless you can actually determine you ALSO encounter that same https://roll.bankofamerica.com site that I do when navigating the BofA website. It would certainly seem like there has to be something uniquely different between the BofA accounts considering all the testing I've done with multiple browsers, but that said, if in fact your are encountering this web site using a web browser then it would appear to have to come down to the OS perhaps as the only answer which I clearly wouldn't think would impact how a website works on the internet.

[barbaz]

Hmm could your Avast be what's messing with window.name ?

[lakrsrool]

Hmm could your Avast be what's messing with window.name ?

Good question, OK so I disabled the Avast Webshield, removed the https://roll.bankofamerica.com site from Anti-XSS Protection Exceptions exclusion list. So now the BofA website should NOT hang as it had been doing before, if in fact Avast is somehow responsible for the website hang since I've both disabled the Avast webshield and removed the exclusion which prevents the BofA website hang in order to narrow it down to Avast.

Conclusion: The website STILL hangs!! So removing Avast from the equation didn't solve the problem, I still need to have the https://roll.bankofamerica.com site included in the Anti-XSS Protection Exceptions exclusion list to avoid the BofA website hang whenever the "checking account" page gets loaded.

There have been two things in my case that have occurred that are different from when the BofA website did not have this problems:
1) BofA changed there website login page
2) I had done a major Firefox upgrade to version 40.

Nothing else has transpired that I'm aware of beyond these two things from the time the BofA website did not have the hang and when it did.

I've attributed it to the BofA login page change and/or a customer having multiple linked accounts, but then the problem with that is that in the case of therube there is no problem regarding a hang on the BofA website.

Now I'm wondering, is therube using the most CURRENT VERSION OF FIREFOX (40.0.3)? No that may possibly be a relevant question!!! I know there have been complaints regarding this major version upgrade in Firefox.

If in fact it comes down to Firefox version 40 as the cause, then this XXS exclusion requirement should be posted for anyone using the current version of Firefox that also bank with BofA.

Calling therube, what version of Firefox are you using

[therube]

check to see if you in fact are encountering the https://roll.bankofamerica.com site

I tried to look via browser console, but that tends to scroll by too quickly & if it were there I didn't catch it.
Otherwise not sure how to look for it?

What browser do you use?

SeaMonkey, though I also looked at FF.

Firefox, Chrome and IE and had the same issue for each browser in my case.

Huh, what?
Earlier you stated ?:

If I either disable NoScript totally or disable the XSS top setting then I do not have an hang problems.

you're accessing BofA on the web internet site using a laptop, desktop

Desktop.
(Though I have used their "mobile banking app" from time to time [to deposit checks].)

[lakrsrool]

Hey therube, have you tried testing this out using the current version of Firefox (version 40.0.3)?


Huh, what?
Earlier you stated ?:

If I either disable NoScript totally or disable the XSS top setting then I do not have an hang problems.

Actually I was wrong it's BOTH settings (not just the top). If you recall I had already previously disabled the lower XSS setting to allow other banks (Union Bank and US Bank) to function properly so I didn't consider this setting at the time in regards to BofA. As you may have noticed, I have since added the necessary site to the XSS exclusion list to allow the lower XXS setting to be enabled again for Union Bank (US Bank is OK now w/out any XSS exclusions).

So yes, as I mentioned above that you're referring to, either totally disabling the NoScript add-on or disabling actually both of the two XXS protections settings (not just the top setting) does away with the hang. More specifically, the computer only hangs because of having both the upper XXS protection setting "Sanitize cross-site suspicious request" and the lower XSS protection setting "Turn cross-site POST requests into data-less GET requests" enabled in NoScript.

[therube]

have you tried testing this out using the current version of Firefox (version 40.0.3)?

Yes, same results, everything works, no hangs*.

Firefox, Chrome and IE and had the same issue for each browser in my case.

And what about that? Is that the case, you see the same in other browsers?
Because if so, that's totally outside the realm of NoScript & even FF.


> "*no hangs".

So today i notice a slight (second or so) delay, after signing in, after my account page has displayed - before I can interact with the page (which would typically entail opening each account in a new tab).

Now that is new, wasn't there yesterday, or even since their login page change.

No changes on my end to account for that.

[lakrsrool]

Firefox, Chrome and IE and had the same issue for each browser in my case.

And what about that? Is that the case, you see the same in other browsers?
Because if so, that's totally outside the realm of NoScript & even FF.

You're absolutely correct, I went back to find where I posted this because it makes virtually zero sense. I clearly misspoke which is not the first time and won't be the last, my bad. I have no idea why I even posted that other than I'm often distracted in midstream with other things and I've been working with other issues related to other software and perhaps conflated the two. I was clearly just typing away while at the time not even thinking about what I was typing apparently.

Thanks for catching that nonsense, I redacted that part of the post with an explanation (would have added red color tag but that causes SPAM errors in this forum unfortunately).

Oh and I actually did try both of these other two browsers (reality check ), as expected no hang at all.

Now with the BofA XSS exclusion in place in NoScript the only difference is a slight sort of "flash" (for a lack of a better word) in the Firefox address bar very quickly following the entire load of the BofA page which does not occur in either of the other two browsers which seem to load quicker and cleaner with no visible address bar "flash" so to speak at all. But I've been noticing this a little thing in Firefox the entire time since eliminating the hang, it's as if instead of a 30-40 second hang in Firefox I just get this litter "jitter" or "flash" so to speak in the address bar subsequent to the elimination of the hang as a result of adding the XSS exclusion in NoScript.

As to why your browser does not hang but on the other hand I need an XSS exclusion to avoid a hang, I can't say obviously. There must be a reason for the difference but what that is will most likely remain a mystery. Thankfully NoScript offers enough flexibility to allow for situations like this, it's just that it takes a bit of time to find what that solution is sometimes.

[lakrsrool]

It's good that you've found the problem . Are there any further details in the Browser Console to tell you what requests are actually filtered?

You might also want to use an ABE rule to hinder other sites from trying to exploit them, eg:

Code: Select all

Site .roll.bankofamerica.com
Accept from .bankofamerica.com
Deny

Site .sso.unionbank.com
Accept from .unionbank.com
Deny

ABE was blocking Union Bank login with "Request {GET https://sso.unionbank.com/obc/forms/login.fcc <<<https://www.excite.com/-6} filtered by ABE: <.sso.unionbank.com> Deny"

So the ABE setting for Union Bank had to be changed to what works below (note: the ".excite.com" additional entry is ONLY needed if linked login on Excite start-page is used to open the bank website login page, which is what I would typically do):

Code: Select all

Site .sso.unionbank.com
Accept from .unionbank.com
Accept from .excite.com
Deny

Apparently ABE works independently so to speak from the NoScript "allowed" settings as I've already got NoScript for ".excite.com" set to "Allow" regarding my start-page.
Hopefully doing this does not open up another "security hole".

[Thrawn]

Apparently ABE works independently so to speak from the NoScript "allowed" settings as I've already got NoScript for ".excite.com" set to "Allow" regarding my start-page.

Yes, they're completely unrelated. Theoretically ABE could be a stand-alone application.

Hopefully doing this does not open up another "security hole".

It should be OK if you trust excite.com. I would probably restrict it, though, to 'Accept from https://www.excite.com', instead of the wildcard.