Page 2 of 2

Re: site bancsabadell.com hangs with NoScript

Posted: Mon Feb 22, 2016 11:30 pm
by libove
barbaz wrote:@libove: I think yours is the same issue as in https://forums.informaction.com/viewtopic.php?f=7&t=21178
I read this other thread. On the face it sounds like it would be similar, however I cannot reproduce the problem by visiting the Lloyd's bank site per the discussion.
So, while conceptually it may be similar, precisely it would seem to be different.

The initial reply from Banc Sabadell, useless as expected, was to use a different browser... I responded back with my credentials and asking them to escalate both to their I.T. management and to their Data Protection compliance people who would probably care to know that a core function (being able to login) is interfered with by the site's design when a user exercises their right to not be tracked (particularly in light of the upcoming European General Data Protection Regulation)...

Re: site bancsabadell.com hangs with NoScript

Posted: Tue Feb 23, 2016 1:13 am
by barbaz
I'm guessing you might end to see some messages from NoScript XSS in the Browser Console (Ctrl-Shift-J) when the hang occurs. Or that it doesn't happen if you disable the XSS filter.
If I'm right it's all the more reason that you're doing the right thing by contacting them how you are, because that crosses the line from a privacy issue to a security issue.

Re: site bancsabadell.com hangs with NoScript

Posted: Wed Feb 24, 2016 6:16 am
by libove
barbaz wrote:I'm guessing you might end to see some messages from NoScript XSS in the Browser Console (Ctrl-Shift-J) when the hang occurs. Or that it doesn't happen if you disable the XSS filter.
If I'm right it's all the more reason that you're doing the right thing by contacting them how you are, because that crosses the line from a privacy issue to a security issue.
I reproduced the hang, with the Browser Console open. Nothing about NoScript XSS at all. In fact, the messages in the Console are the same with and without the hang (except of course that, with www.bancsabadell.com allowed in NoScript, bancsabadell.com and datalog.bancsabadell.com not allowed, Firefox doesn't hang and more messages appear in the Console as I navigate farther through the site).

So, maybe this is completely different than the other/XSS related issue.

Re: site bancsabadell.com hangs with NoScript

Posted: Wed Feb 24, 2016 6:34 am
by barbaz
libove wrote:So, maybe this is completely different than the other/XSS related issue.
OK so it's maybe not actual XSS or anything the XSS filter needs to act on, but it could still be that a lot of something is happening that the XSS filter is checking (e.g. the site writing data to window.name). If you try with XSS filter disabled (NoScript Options > Advanced > XSS, un-check both boxes) does the issue still occur? That's the way to be sure.
(This is NOT a safe thing to do, and I can understand if you don't want to try it. To mitigate risks of this test, use an isolated browser session - don't browse *any* other sites, not even in separate tabs/windows, while testing. And make sure to re-enable XSS filter when done.)

Re: site bancsabadell.com hangs with NoScript

Posted: Wed Feb 24, 2016 6:42 am
by libove
barbaz wrote:
libove wrote:So, maybe this is completely different than the other/XSS related issue.
OK so it's maybe not actual XSS or anything the XSS filter needs to act on, but it could still be that a lot of something is happening that the XSS filter is checking (e.g. the site writing data to window.name). If you try with XSS filter disabled (NoScript Options > Advanced > XSS, un-check both boxes) does the issue still occur? That's the way to be sure.
(This is NOT a safe thing to do, and I can understand if you don't want to try it. To mitigate risks of this test, use an isolated browser session - don't browse *any* other sites, not even in separate tabs/windows, while testing. And make sure to re-enable XSS filter when done.)
You pegged it. The NoScript option "Sanitize cross-site suspicious requests" being enabled is what triggers the Firefox hang on displaying the bancsabadell.com site (with datalog.bancsabadell.com allowed in NoScript).

So, what does this mean/ what can I now provide in more detail to Banc Sabadell to help them fix their brokenness?

many thanks for the continuing efforts!
-Jay

Re: site bancsabadell.com hangs with NoScript

Posted: Wed Feb 24, 2016 5:33 pm
by barbaz
@libove: Please change the format of quotes if you choose to disable BBCode in your posts - e.g. do what therube does and quote email style, put a > and a space before the quote.
libove wrote:You pegged it. The NoScript option "Sanitize cross-site suspicious requests" being enabled is what triggers the Firefox hang on displaying the bancsabadell.com site (with datalog.bancsabadell.com allowed in NoScript).

So, what does this mean/ what can I now provide in more detail to Banc Sabadell to help them fix their brokenness?
Not sure. My best educated guess would be that they are using the highly unsafe practice of writing data to window.name to pass data across domains (any site can read it) and the XSS filter is at the very least scrutinizing it. But again, that's just a guess. I don't know. :|
(I also don't know if the XSS filter logs anything to the Browser Console (Ctrl-Shift-J) even if disabled?)

Re: site bancsabadell.com hangs with NoScript

Posted: Wed Jul 06, 2016 5:17 pm
by Costa Brava
By adding the pattern
[dangerous suggestion deleted by moderator]

to the exceptions list on the XSS tab you won't have to compromise your global XSS settings.

Re: site bancsabadell.com hangs with NoScript

Posted: Wed Jul 06, 2016 11:12 pm
by barbaz
No. That's opening up the bank site to XSS from any site.

Please re-formulate that as an XSS exception for request of origin (@ exception) per the sticky and post back, thanks.