Marketwatch.com problems

[Jojo999]

I lately (past few months) have been having a lot of problems with a site (marketwatch.com). I get a huge amount of apparently NS generated errors (which I pared down for posting by eliminating many repeated duplicates). I also get regular XSS notifications. I am not able to login to the site. Here are the NS console msgs I trapped after clearing the console log and then just clicking on "Login". Is this a NS problem?

----------------
Mon Jan 11 2016 11:56:16
Warning: ReferenceError: reference to undefined property m[r]
Source file: http://js-agent.newrelic.com/nr-632.min.js
Line: 1
----------
Mon Jan 11 2016 11:55:52
Warning: ReferenceError: reference to undefined property this.timer
Source file: http://mw1.wsj.net/MW5/content/combined ... .0.7140.js
Line: 371
----------
Mon Jan 11 2016 11:55:52
Warning: ReferenceError: reference to undefined property this.conf.proxyURL
Source file: https://a248.e.akamai.net/f/248/67675/6 ... od_mini.js
Line: 1
----------
Mon Jan 11 2016 11:55:52
Warning: ReferenceError: reference to undefined property b.event.triggered
Source file: http://mw1.wsj.net/MW5/content/combined ... .0.7140.js
Line: 2
----------
Mon Jan 11 2016 11:55:51
Error: TypeError: target.outerText is undefined
Source file: http://mw1.wsj.net/MW5/content/analytics/hooks.js
Line: 422
----------
Mon Jan 11 2016 11:55:51
Warning: ReferenceError: reference to undefined property target.outerText
Source file: http://mw1.wsj.net/MW5/content/analytics/hooks.js
Line: 422


With XSS error, I see errors like this:

[NoScript XSS] Sanitized suspicious request. Original URL [http://tags.bluekai.com/site/4455?ret=h ... ial%20News] requested from [http://www.marketwatch.com/]. Sanitized URL: [http://tags.bluekai.com/site/4455?ret=h ... 4244474792].
----------
[NoScript InjectionChecker] JavaScript Injection in coalesced:///site/4455ret=html&limit=10&r=37070&phint=serverDomain=www.marketwatch.com, primaryProduct=MarketWatch, pageName=MW_Home, section=MW_Home Page, articleType=MW_Home_Home Page, subSection=MW_Home, contentType=home, contentChannel=Home, isSub=nomem, referrer=www.marketwatch.com, adSection1=marketwatch.com, adZone1=sponsor_trendingtickers, adSection2=bottom.marketwatch.com, adZone2=frontpage, adSection3=brokerbuttons.marketwatch.com, __bk_k=MarketWatch - Stock Market Quotes, Business News, Financial News
(function anonymous() {
serverDomain=www.marketwatch.com, primaryProduct=MarketWatch, /* COMMENT_TERMINATOR */
DUMMY_EXPR
})

Also, I cannot see comments in both Pale Moon and Firefox.

Meanwhile, everything works fine in IE11 and Chrome latest browsers, neither of which use script blockers.

[Thrawn]

This isn't the first time that bluekai has triggered XSS false positives. As mentioned in that thread, I suggest that you kill it with fire block it with ABE.

[Jojo999]

This isn't the first time that bluekai has triggered XSS false positives. As mentioned in that thread, I suggest that you kill it with fire block it with ABE.

OK, so I revoked the permission for bluekai, which fixed the XSS warning.

The only reason that I was allowing that script was that I am trying to figure out why I can't see comments on Marketwatch in Pale Moon or Firefox but can see them in Chrome.

So I tried temporarily allowing all scripts on one Marketwatch page I was investigating. This did not restore comments. Then I tried allowing all ads blocked by AdBlock. Voila! Comments appeared. But when I revoked the temporarily allow all scripts on MW while still allowing all ads, the comments went away. And vice versa. It appears that MW won't show comments unless every script is allowed and any ad blockers are disabled.

It used to work fine a few months ago with the adblocker on and most scripts blocked. So I am at a loss.

[Thrawn]

Clearly the site is relying on something from a third party, and that third party is on the list of advertisers. Quite possibly the required component is in fact a tracking/advertising script.

Simplest way to identify it is to (temporarily) switch off your adblocker, and allow sites, one at a time, until you find what makes it work. Then see if you can allow just that one site. Also, please report back; maybe we can develop (or enhance) a surrogate script for the site, so that you don't need to whitelist it to fix the comments.

Can you also list the sites that appear on your menu? Might be helpful in narrowing down candidates for providing the comments.

[barbaz]

(continuing from viewtopic.php?f=7&t=21760 )
What NoScript version are you using?

[Jojo999]

The latest - 2.9.0.10

[barbaz]

Probably we need a new surrogate script (or update one)...

Can you please provide an example link where you see the issue(s), that doesn't require login to see the problem?

[Jojo999]

Probably we need a new surrogate script (or update one)...

Can you please provide an example link where you see the issue(s), that doesn't require login to see the problem?

The primary issue is that I can't see comments on the Marketwatch site and was guessing that the XSS warnings might be part of the problem. So I would at least like to get rid of the XSS problems or if that is not possible, then turn off XSS on that site.

Here is an example link of where I see an XSS warning in both Pale Moon & Firefox (both use NS at the latest release).

http://www.marketwatch.com/story/driver ... 2016-03-25. Here are the console entries from Pale Moon that say "NoScript":

[NoScript XSS] xss.reason.TypeError: IOUtil.newChannelFromURI is not a function --- ChannelReplacement.prototype._init@chrome://noscript/content/ChannelReplacementLegacy.js:114
ChannelReplacement@chrome://noscript/content/ChannelReplacement.js:2
ABERequest.prototype<.replace@chrome://noscript/content/ABE.js:990
RequestWatchdog.prototype.filterXSS@chrome://noscript/content/RequestWatchdog.js:950
RequestWatchdog.prototype.onHttpStart/<@chrome://noscript/content/RequestWatchdog.js:158
DOSChecker.prototype.run@chrome://noscript/content/RequestWatchdog.js:2798
RequestWatchdog.prototype.onHttpStart@chrome://noscript/content/RequestWatchdog.js:159
ns.httpObserver.observe@jar:file:///D:/Users/Me%232/AppData/Roaming/Moonchild%20Productions/Pale%20Moon/Profiles/mggdaknq.default/extensions/%7B73a6fe31-595d-460b-a920-fcc0f8843232%7D.xpi!/components/noscriptService.js:1354

----------
[NoScript XSS] Sanitized suspicious request. Original URL [http://tags.bluekai.com/site/4455?ret=h ... arketWatch] requested from [http://www.marketwatch.com/story/driver ... 2016-03-25]. Sanitized URL: [http://tags.bluekai.com/#7114379749560265938].
----------
[NoScript InjectionChecker] JavaScript Injection in coalesced:///site/4455ret=html&limit=10&r=19890&phint=serverDomain=www.marketwatch.com, primaryProduct=MarketWatch, pageName=MW_Article_Industries|Automobiles_66CDB10A-F2A4-11E5-982A-34A86875D4E7, section=MW_Industries, articleType=MW_Article_Normal_Industries|Automobiles, contentType=article, contentChannel=Article, isSub=nomem, referrer=www.marketwatch.com, __bk_k=Drivers in these cities donâ??t buy American cars - MarketWatch
(function anonymous() {
serverDomain=www.marketwatch.com, primaryProduct=MarketWatch, /* COMMENT_TERMINATOR */
DUMMY_EXPR
})

I see a reference to "blueaki" in the NS error msgs but do not see "blueaki.com" as a site in the NS site list when I mouse over the NS icon???

[barbaz]

Thanks, off to investigate...

[barbaz]

Wow, this is an elusive one! Looks like the googletag surrogate needs an update...

In the mean time, here is minimal permissions to use for comments to display:

Code: Select all

+gstatic.com
+google.com
+googletagservices.com
+googleadservices.com
+wsj.net
+fyre.co
+livefyre.com
+contextual.media.net
+marketwatch.com

bluekai is not needed at all here.

[Jojo999]

OK, I turned off all the scripts I had on and then tried to turn on only the ones you recommend.

But I do not see script listings for:
+fyre.co
+livefyre.com
+contextual.media.net

Which would explain why I am not seeing comments, since these scripts look like they are from the Livefyre comment service (that I use in Slate).

Here is what I see:
https://drive.google.com/file/d/0B3aloI ... sp=sharing

Any idea why I am not seeing the same scripts as you? Did you use Pale Moon browser at latest release?

[barbaz]

It looks like the same listing to me. You are seeing just "media.net" because you don't have enabled NoScript Options > Appearance > Full Domains
Once you (Temp-)Allow that, then you'll see the other two.

(and i don't think you need googlesyndication Allowed for this to work)


I've no idea how we would update the surrogate though

[Jojo999]

I don't recall messing with that option but at-a-glance-interpretation would seem to imply that all it does is add a "www." to the front of domains but in reality it appears that there could be other stuff (sub-domains?) in front of the clipped URL

Regardless, I turned that option on. Then I was able to see "contectual.media.net. However, even after a rest, I still don't see Fyre or Livefyre, which are essential for seeing and interacting with comments.

[barbaz]

I was testing with SeaMonkey but I can try again with Pale Moon later. (note: I spoof user-agent string randomly.. probably should have thought to check the user-agent string. Assuming UA sniffing is not the issue...)

I'm thinking it's now a matter of looking at the permissions set in your adblocker, because I had to change filters in uBlock Origin to make the livefyre scripts show up and the comments work.
Obviously you're allowing googletagservices.com, because you otherwise wouldn't see googleadservices in NoScript. Is your adblocker blocking the scripts from contextual.media.net and/or googleadservices.com?

[Jojo999]

I was testing with SeaMonkey but I can try again with Pale Moon later. (note: I spoof user-agent string randomly.. probably should have thought to check the user-agent string. Assuming UA sniffing is not the issue...)

I'm thinking it's now a matter of looking at the permissions set in your adblocker, because I had to change filters in uBlock Origin to make the livefyre scripts show up and the comments work.
Obviously you're allowing googletagservices.com, because you otherwise wouldn't see googleadservices in NoScript. Is your adblocker blocking the scripts from contextual.media.net and/or googleadservices.com?

Pale Moon got rid of AdBlock Plus due to claimed many problems. Now use what I think is a fork called Lattitude.

I switched off ad blocking via this Lattitude product on the Marketwatch site in PM. I now see the Livefyre and Fyre scripts in the NS list! Bonus the XSS error also disappeared. However, I don't want to run without the ad blocker, so have to find out what it is doing to block scripts approved in NS.

Would the ad blocker also be blocking scripts, so that it causes a conflict and apparently overrides what is set in NS? Who gets control of the webpage construction first?