Page 2 of 3
Re: Noscript blocking Dashlane extension Firefox 50
Posted: Thu Nov 24, 2016 8:23 pm
by idf
Pardon my intrusion - turns out I'm registered here. Posting this so I'll get notified when thread is updated. Thanks.
Re: Noscript blocking Dashlane extension Firefox 50
Posted: Thu Nov 24, 2016 9:39 pm
by barbaz
idf wrote:Pardon my intrusion - turns out I'm registered here.
Fixed above
Your other questions can only be answered by Giorgio.
Re: Noscript blocking Dashlane extension Firefox 50
Posted: Thu Nov 24, 2016 10:36 pm
by pegasus41
Another dashlane user with the same problem - started exactly when noscript updated yesterday to 2.9.5.1 (was on ff 49 and now am on ff50 with same result).
tried the patch referenced on page one and it works BUT i don't understand what ABE protection i am giving up with the patch.
for the record, here is my SYSTEM rule box:
"Site 127.0.0.1 localhost
Accept GET from about:blank 127.0.0.1 localhost
# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny"
any help appreciated...
Re: Noscript blocking Dashlane extension Firefox 50
Posted: Thu Nov 24, 2016 11:52 pm
by barbaz
pegasus41 wrote: i don't understand what ABE protection i am giving up with the patch.
Actually I'm not sure either
A site with scripts enabled
might be able to do something with that loophole. Maybe.
It depends on how ABE would see such requests.
However, that sort of shenanigans is unlikely IMO. So if you haven't got Scripts Globally Allowed or the like, I'd say you're probably still safe enough.
Re: Noscript blocking Dashlane extension Firefox 50
Posted: Fri Nov 25, 2016 3:10 am
by Thrawn
In a nutshell: because of the behavior of the extension, 'about:blank' (ie the canonical blank page) is trying to access localhost. ABE already permits local sites to access localhost, but about:blank isn't considered to be local.
Theoretically, though, I think it's possible for a page with scripts enabled to create a new blank page and write scripts into it. So I don't think that about:blank should be automatically whitelisted for talking to the LAN. It's unfortunate that Dashlane is working this way. Being an extension and therefore privileged, Dashlane should be able to use other, non-ABE-controlled methods of talking to localhost.
Re: Noscript blocking Dashlane extension Firefox 50
Posted: Fri Nov 25, 2016 3:24 am
by barbaz
Hmm, maybe I have the wrong impression here? Dashlane may be operating in a less-than-ideal way, but that doesn't make it Dashlane's fault that NoScript changed behavior...
if that's what happened here. Every reporter seems to have got many updates in close succession, so let's really check this for sure.
Can someone who is affected please try -
1) Remove any work-arounds you've added for this issue
2) Downgrade NoScript to 2.9.0.14
Old NoScript @
https://addons.mozilla.org/addon/noscript/versions
*or*
https://noscript.net/feed?c=100&t=a
3) Try Dashlane again. Does it work?
4) Check the Browser Console (Ctrl-Shift-J) for any ABE-related messages
Please let us know the results, thanks.
Re: Noscript blocking Dashlane extension Firefox 50
Posted: Fri Nov 25, 2016 7:21 am
by idf
I don't think all that testing is necessary based on the timeline I posted previously, but I did it anyway.
I just downgraded NoScript to 2.9.0.14 on FF 50 for Windows, and removed the new ABE rule. Dashlane works perfectly. The only ABE notice in the console is
Code: Select all
[ABE WAN] Detected WAN IP <my public IP address>
which does not seem to be of any significance.
I then updated NoScript back to 2.9.5.1. Dashlane no longer works. All the ABE Deny errors are in the console again:
Code: Select all
[ABE] < LOCAL> Deny on {GET http://127.0.0.1:17896/ <<< about:blank - 1}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
If it's true that about:blank is not local, then my guess is there was a bug or oversight in NoScript that treated it as if it is, and that hole was sealed in 2.9.5. But this exposed the problem with Dashlane - and perhaps there are other extensions that do something similar?
Re: Noscript blocking Dashlane extension Firefox 50
Posted: Fri Nov 25, 2016 11:31 am
by im3or
idf wrote:If it's true that about:blank is not local, then my guess is there was a bug or oversight in NoScript that treated it as if it is, and that hole was sealed in 2.9.5. But this exposed the problem with Dashlane - and perhaps there are other extensions that do something similar?
Yes, there are. Sticky password is one of them.
I am using this ruleset to get around ABE blocking sticky password extension:
Code: Select all
Site localhost:45872
Accept GET from about:blank localhost:45872
# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny
Re: Noscript blocking Dashlane extension Firefox 50
Posted: Fri Nov 25, 2016 3:27 pm
by barbaz
Thanks!
idf wrote:If it's true that about:blank is not local, then my guess is there was a bug or oversight in NoScript that treated it as if it is, and that hole was sealed in 2.9.5.
moz-nullprincipal: URIs are not part of LOCAL either, yet something changed in NoScript 2.9.5 that they too are being blocked by ABE -
viewtopic.php?f=10&t=22314
There have been a number of issues like this with NoScript 2.9.5. That's why I'm thinking the new NoScript behavior is the bug.
Re: Noscript blocking Dashlane extension Firefox 50
Posted: Fri Nov 25, 2016 5:24 pm
by Guest
im3or wrote:
Yes, there are. Sticky password is one of them.
I am using this ruleset to get around ABE blocking sticky password extension:
Code: Select all
Site localhost:45872
Accept GET from about:blank localhost:45872
# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny
Is "45872" specific to sticky password extension? if so, how did you know to use it?
Re: Noscript blocking Dashlane extension Firefox 50
Posted: Fri Nov 25, 2016 5:28 pm
by barbaz
Guest wrote:Is "45872" specific to sticky password extension? if so, how did you know to use it?
Guest, you're looking for the Browser Console (Ctrl-Shift-J) -
https://noscript.net/abe/users.html
This is off-topic in this thread, so please start a new thread if you have further questions about making ABE exceptions.
Dashlane Broken With Update
Posted: Sat Nov 26, 2016 7:17 pm
by muhdashlane
Me and a friend's Dashlane Firefox addon broke a few days ago or so and after testing all of my addons I found disabling Noscript to be the solution. Reinstalling, resetting, or disabling features individually (including parts like ABE, allowing all scripts, etc.) did not seem to fix it. Disabling my other addons had no effect.
Edit: Can confirm that copy pasting:
Site 127.0.0.1 localhost
Accept GET from about:blank 127.0.0.1 localhost
above Abe's system ruleset appears to fix the problem. Thank you!
Re: Dashlane Broken With Update
Posted: Sat Nov 26, 2016 7:30 pm
by barbaz
@muhdashlane Merged your post with the existing thread on the problem.
Re: Noscript blocking Dashlane extension Firefox 50
Posted: Sat Nov 26, 2016 11:02 pm
by pegasus41
Guest wrote:im3or wrote:
Yes, there are. Sticky password is one of them.
I am using this ruleset to get around ABE blocking sticky password extension:
Code: Select all
Site localhost:45872
Accept GET from about:blank localhost:45872
# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny
Is "45872" specific to sticky password extension? if so, how did you know to use it?
actually i think this may be pertinent to the dashlane issue; what is "45872"?
Inquiring dashlane users may need an equivalent instead of the global allow all 127.0.0.1
Mine is working for now with the global rule quoted in this thread but i am not comfortable not knowing what i am missing.
Dashlane tech support suggested disabling ABE entirely but that is the lazy-man way...
Re: Noscript blocking Dashlane extension Firefox 50
Posted: Sat Nov 26, 2016 11:15 pm
by barbaz
pegasus41 wrote:actually i think this may be pertinent to the dashlane issue; what is "45872"?
Inquiring dashlane users may need an equivalent instead of the global allow all 127.0.0.1
No such equivalent AFAIK. Based on the console messages posted earlier, Dashlane appears to use random ports with no obvious pattern.