Capital One 360 Login Blocked

Ask for help about NoScript, no registration needed to post
billdfixer

Capital One 360 Login Blocked

Post by billdfixer » Fri Feb 19, 2016 5:48 pm

Firefox 44.0.2
NoScript 2.9.0.4

Sometime within the past week, Capital One 360 updated their website and changed its login functionality (https://secure.capitalone360.com/myaccount/banking/login.vm).

After entering my username, clicking on the the "Continue" button does nothing.

In NoScript, "Temporarily allow all this page" does not help.
In NoScript, "Allow Scripts Globally" does not help.

I downgraded Firefox by two versions but that did not help.
I downgraded NoScript by one point release but that did not help.

Disabling NoScript completely is the only way that I have found to finally be able to login.

I do not know how to determine what Capital One did to their website to cause this problem with NoScript and I do not know what to do with NoScript to work around whatever Capital One did.

There has to be a way to keep NoScript active and be able to log into Capital One 360, as I was able to do before their website, Firefox, and NoScript were all upgraded.

Any suggestions?
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0

billdfixer

Re: Capital One 360 Login Blocked

Post by billdfixer » Fri Feb 19, 2016 6:28 pm

Firefox 44.0.2
NoScript 2.7
Windows 8.1

Since I could not edit my post, I post this update as a reply.

Downgrading from NoScript 2.9.0.4 to NoScript 2.7 allows me to login to Capital One 360 without any problems and without changing any of my previous NoScript settings, just as I was able to do before.

Previous versions of NoScript can be found here: https://addons.mozilla.org/en-US/firefox/addon/noscript/versions/

Downgrading NoScript may not be the best solution but I do not know of any other solution or how to provided needed information to fix the conflict.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0

User avatar
therube
Ambassador
Posts: 7469
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Capital One 360 Login Blocked

Post by therube » Fri Feb 19, 2016 8:22 pm

Signin page, the Continue takes me to Password screen.
Password is accepted & reports, Invalid, which is fine because I have login for Cap1.

So from my end, FF 44.0.1 & NoScript 2.9.0.3 (I'm a bit dated on each it seems) looks like it should work correctly. (At least I'm getting expected responses.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:42.0) Gecko/20100101 SeaMonkey/2.39

barbaz
Senior Member
Posts: 9282
Joined: Sat Aug 03, 2013 5:45 pm

Re: Capital One 360 Login Blocked

Post by barbaz » Fri Feb 19, 2016 8:55 pm

billdfixer wrote:Downgrading from NoScript 2.9.0.4 to NoScript 2.7 allows me to login to Capital One 360 without any problems and without changing any of my previous NoScript settings, just as I was able to do before.

Previous versions of NoScript can be found here: https://addons.mozilla.org/en-US/firefox/addon/noscript/versions/

Downgrading NoScript may not be the best solution but I do not know of any other solution or how to provided needed information to fix the conflict.

Read viewtopic.php?p=81248#p81248 before downgrading below NoScript 2.9.0.1rc2.
*Always* check the changelogs BEFORE updating that important software!
-

billdfixer

Re: Capital One 360 Login Blocked

Post by billdfixer » Sat Feb 20, 2016 6:23 pm

Based on @therube reply, I upgraded NoScript from 2.7 to 2.9.0.2 and can now login using Firefox 44.0.2. I tried using 2.9.0.3 but the login problem happened again. Obviously, something changed after 2.9.0.2 that causes this login problem on this banking website.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0

barbaz
Senior Member
Posts: 9282
Joined: Sat Aug 03, 2013 5:45 pm

Re: Capital One 360 Login Blocked

Post by barbaz » Sun Feb 21, 2016 2:04 am

Yes, downgrading to NS 2.9.0.2 while on Firefox 44.0 is reasonable to do.

This really doesn't sound like that one XSS issue that plagues an oddly massive number of financial sites. That issue didn't "regress" with NS 2.9.0.3.

With NoScript latest development build, when this issue occurs, do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)
*Always* check the changelogs BEFORE updating that important software!
-

billdfixer

Re: Capital One 360 Login Blocked

Post by billdfixer » Sun Feb 21, 2016 4:42 pm

barbaz wrote:Yes, downgrading to NS 2.9.0.2 while on Firefox 44.0 is reasonable to do.

This really doesn't sound like that one XSS issue that plagues an oddly massive number of financial sites. That issue didn't "regress" with NS 2.9.0.3.

With NoScript latest development build, when this issue occurs, do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)


With NoScript 2.9.0.4, this is what appears as the login page loads:

Code: Select all

[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: JSESSIONID=B726EDD01511A050ECE081FE5D0C832C; domain=secure.capitalone360.com; path=/myaccount/; HttpOnly; Secure

[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: DeviceDetails="{Device_Info=WEB, Site_Pref=NORMAL}"; domain=.capitalone360.com; path=/; Secure

[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: isso_mig=no; domain=.capitalone360.com; path=/; Secure

[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: BIGipServerpl_secure.capitalone360.com_80=1730193600.20480.0000; domain=secure.capitalone360.com; path=/; Secure

[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: BIGipServerpl_WA_secure.capitalone360.com_80=2754062528.20480.0000; domain=secure.capitalone360.com; path=/; Secure

[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: TLTSID=632D79A0F782B1EF5D5E87FF5FF88974; domain=.capitalone360.com; path=/; Secure

[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: TLTUID=BB4DEB2E218745D1E397389D8377F18F; domain=.capitalone360.com; path=/; Secure

[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=3070793738.20480.0000; domain=home.capitalone360.com; path=/; Secure

[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=3070793738.20480.0000; domain=home.capitalone360.com; path=/; Secure

[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=3070793738.20480.0000; domain=home.capitalone360.com; path=/; Secure

[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=1107859466.20480.0000; domain=home.capitalone360.com; path=/; Secure

[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=1107859466.20480.0000; domain=home.capitalone360.com; path=/; Secure

[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=3070793738.20480.0000; domain=home.capitalone360.com; path=/; Secure


This is what appears when I type the first character of a username:

Code: Select all

Key event not available on some keyboard layouts: key="c" modifiers="accel,alt" browser.xul

Key event not available on some keyboard layouts: key="i" modifiers="accel,alt,shift" browser.xul

Key event not available on some keyboard layouts: key="m" modifiers="control,alt" browser.xul


This is what appears when I click on the "Continue" button:

Code: Select all

Use of getPreventDefault() is deprecated.  Use defaultPrevented instead. jquery-1.8.3.min.js:2:40351

Note: Nothing more is processed when the "Continue" button is clicked and there is no further Console output when the "Continue" button is clicked repeatedly.


With NoScript 2.9.0.2 (which DOES allow me to login), this is what appears when I click on the username field (nothing is typed):

Code: Select all

Use of getPreventDefault() is deprecated.  Use defaultPrevented instead. jquery-1.8.3.min.js:2:40351


Note that this above message does not appear with NoScript 2.9.0.4 until after the "Continue" button is clicked.


Then, with NoScript 2.9.0.2, this is what appears when I type the first character of a username:

Code: Select all

Key event not available on some keyboard layouts: key="c" modifiers="accel,alt" browser.xul

Key event not available on some keyboard layouts: key="i" modifiers="accel,alt,shift" browser.xul

Key event not available on some keyboard layouts: key="m" modifiers="control,alt" browser.xul


Note that with NoScript 2.9.0.4, these above messages appear only when a character is typed into the username field and appear before the above noted "getPreventDefault()" message.

Hopefully there is something here that will lead to a better solution than downgrading.
Last edited by barbaz on Sun Feb 21, 2016 5:18 pm, edited 1 time in total.
Reason: change console messages wrapped in list tags to code tags
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0

barbaz
Senior Member
Posts: 9282
Joined: Sat Aug 03, 2013 5:45 pm

Re: Capital One 360 Login Blocked

Post by barbaz » Sun Feb 21, 2016 5:24 pm

I find it really odd that Secure Cookies Management is pointed to as the culprit... and I assume that you clear cookies each time, otherwise those messages shouldn't happen (I think). Then again, the changelogs for 2.9.0.3 are incomplete...

Does clearing cookies and disabling Secure Cookies Management (NoScript Options > Advanced > HTTPS > Cookies) let latest development build work here?
*Always* check the changelogs BEFORE updating that important software!
-

billdfixer

Re: Capital One 360 Login Blocked

Post by billdfixer » Mon Feb 22, 2016 3:07 am

barbaz wrote:I find it really odd that Secure Cookies Management is pointed to as the culprit... and I assume that you clear cookies each time, otherwise those messages shouldn't happen (I think). Then again, the changelogs for 2.9.0.3 are incomplete...

Does clearing cookies and disabling Secure Cookies Management (NoScript Options > Advanced > HTTPS > Cookies) let latest development build work here?


Yes, Firefox clears cookies on each close and I have been closing and restarting Firefox before each test so testing is clean.

Disabling Secure Cookies Management in NoScript 2.9.0.4 does not resolve the problem - i.e. I still cannot login (as with NoScript 2.9.0.2).

The Console output only shows this below (which is reversed of what appears when running NoScript 2.9.0.2 - which works):

This message appears when the username field is clicked on:

Code: Select all

Use of getPreventDefault() is deprecated.  Use defaultPrevented instead. jquery-1.8.3.min.js:2:40351


These messages appear when I click the "Continue" button, after entering a username:

Code: Select all

Key event not available on some keyboard layouts: key="c" modifiers="accel,alt" browser.xul
Key event not available on some keyboard layouts: key="i" modifiers="accel,alt,shift" browser.xul
Key event not available on some keyboard layouts: key="m" modifiers="control,alt" browser.xul


The only variable that I have changed/tested is switching between NoScript 2.9.0.4 and 2.9.0.2 (which works), since trying NoScript 2.7 (which also works), with Firefox 44.0.2. @therube said FF 44.0.1 & NoScript 2.9.0.3 were giving expected responses.

Downgrading to NoScript 2.9.0.2 or completely disabling NoScript 2.9.0.4 are the only work-arounds that I have found so far.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0

barbaz
Senior Member
Posts: 9282
Joined: Sat Aug 03, 2013 5:45 pm

Re: Capital One 360 Login Blocked

Post by barbaz » Mon Feb 22, 2016 3:33 am

Ok looks like it's 'whac-a-mole' time. As a test, please disable the following NoScript features, one at a time / only one at once, in this order, until the site works:
1) XSS: NoScript Options > Advanced > XSS, un-check everything
2) ABE: NoScript Options > Advanced > ABE > un-check "Enable ABE"
-> 2a) if that works, try re-enabling ABE and setting about:config > noscript.doNotTrack.enabled to false
3) ClearClick: NoScript Options > Advanced > ClearClick, un-check everything
4) Inclusion type checking: about:config > set noscript.inclusionTypeChecking to false
5) The other XSS filter: about:config > set noscript.xss.checkInclusions to false
6) surrogates: about:config > noscript.surrogate.enabled to false
*Always* check the changelogs BEFORE updating that important software!
-

billdfixer

Re: Capital One 360 Login Blocked

Post by billdfixer » Tue Feb 23, 2016 10:16 pm

barbaz wrote:Ok looks like it's 'whac-a-mole' time. As a test, please disable the following NoScript features, one at a time / only one at once, in this order, until the site works:
6) surrogates: about:config > noscript.surrogate.enabled to false


Here are my results of the 'whac-a-mole' tests:

Firefox 44.0.2
NoScript 2.9.0.4
Windows 8.1

I went down the list one-by-one, as instructed. I cleared cookies and cache before performing each test.

What finally worked was changing item 6 to 'false', as instructed.

After that worked, I reset all of the other options back to their original/default settings - I was still able to login to this banking site.

I must say, I do not know enough about NoScript to know if setting surrogates to 'false' will effect other websites or reduce web security in any way. I also do not know how to implement surrogates so this option can be reset to the default of 'true.'

As a side note, I had another computer with Firefox 40.0.2, which I upgraded to NoScript 2.9.0.4 and I also could not login to this banking website - had to downgrade NoScript to 2.9.0.2 to allow login.

I do not know what all of this may mean but I hope that it helps those who do so that I can reset surrogates to 'true' and still be able to login to this banking website.

Thank you for your guidance with this, @barbaz.
Mozilla/5.0 (Windows NT 5.1; rv:44.0) Gecko/20100101 Firefox/44.0

barbaz
Senior Member
Posts: 9282
Joined: Sat Aug 03, 2013 5:45 pm

Re: Capital One 360 Login Blocked

Post by barbaz » Tue Feb 23, 2016 10:37 pm

Surrogates are designed to make pages work with fewer scripts Allowed, so you'll find browsing without surrogates you need to Allow more sites' scripts than otherwise.

Please try re-enabling surrogates, then changing about:config > noscript.surrogate.ga.replacement to

Code: Select all

(function(){var _0=$S(function()_0),_u=function(){};_0.__noSuchMethod__=_0;('ga'in window)||(ga=_u);window.urchinTracker=window._u||_u;window._gaq=$S({__noSuchMethod__:_0,push:function(f){if(typeof f=='function')f();else if(f&&f.shift&&f[0]in this)this[f.shift()].apply(this,f)},_set:function(a,b){if(typeof b=='function')b()},_link:function(h){if(h)location.href=h},_linkByPost:function(f){if(f&&f.submit)f.submit();return true},_getLinkerUrl:function(u){return u},_trackEvent:_0});window._gat=$S({__noSuchMethod__:function(){return _gaq}})})()


Does that let it work?
*Always* check the changelogs BEFORE updating that important software!
-

billdfixer

Re: Capital One 360 Login Blocked

Post by billdfixer » Wed Feb 24, 2016 1:19 am

barbaz wrote:Surrogates are designed to make pages work with fewer scripts Allowed, so you'll find browsing without surrogates you need to Allow more sites' scripts than otherwise.

Please try re-enabling surrogates, then changing about:config > noscript.surrogate.ga.replacement to

Code: Select all

(function(){var _0=$S(function()_0),_u=function(){};_0.__noSuchMethod__=_0;('ga'in window)||(ga=_u);window.urchinTracker=window._u||_u;window._gaq=$S({__noSuchMethod__:_0,push:function(f){if(typeof f=='function')f();else if(f&&f.shift&&f[0]in this)this[f.shift()].apply(this,f)},_set:function(a,b){if(typeof b=='function')b()},_link:function(h){if(h)location.href=h},_linkByPost:function(f){if(f&&f.submit)f.submit();return true},_getLinkerUrl:function(u){return u},_trackEvent:_0});window._gat=$S({__noSuchMethod__:function(){return _gaq}})})()


Does that let it work?


Yes, that works - tested on both Windows 8.1 and Windows 7 both with Firefox 44.0.2 and NoScript 2.9.0.4.

If this is a fix, this thread can be marked as solved. If it is just a temporary work-around...?

Thanks, again, for your assistance, @barbaz
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0

barbaz
Senior Member
Posts: 9282
Joined: Sat Aug 03, 2013 5:45 pm

Re: Capital One 360 Login Blocked

Post by barbaz » Wed Feb 24, 2016 1:27 am

Fix is to include that in NS by default. I've informed Giorgio.
*Always* check the changelogs BEFORE updating that important software!
-

billdfixer

[RESOLVED] Capital One 360 Login Blocked

Post by billdfixer » Thu Feb 25, 2016 2:47 pm

barbaz wrote:Fix is to include that in NS by default. I've informed Giorgio.

:D
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0

Post Reply