Noscript Breaks Disqus - again

Ask for help about NoScript, no registration needed to post
TalonKarrde
Posts: 12
Joined: Fri May 13, 2011 8:50 pm

Noscript Breaks Disqus - again

Post by TalonKarrde »

Symptom: large disqus threads don't load. (small ones, do, occasionally)
I'm logged in as disqus user

Allow all scripts does NOT fix the issue.
Disabling NoScript does fix the issue.

Noscript Version is 5.1.8.2 on Firefox ESR 52.5.2 (32bit)
No other adblock or content control extensions are present.

I already tried adding .disqus.com to both noscript.clearClick.exceptions and noscript.clearClick.subexceptions (as advised in earlier threads in this forum) , but that doesnt help.

console output for that page (yeah, its Breitbart) (with allow all scripts)

Code: Select all

Connect V5 version : 2.9 loaded  connectV5.js:1:19742
XML Parsing Error: syntax error
Location: http://www.breitbart.com/video/2017/12/10/nikki-haley-trumps-accusers-heard/
Line Number 1, Column 1:  nikki-haley-trumps-accusers-heard:1:1
INIT request received from publisher page with config :  Object { widgetId: "NBzIDXyaTGIG-alRGD80gG0EgZYntzADRCa…", template: "NM07" }  connectV5.js:1:19725
Next widget loading invoked in queue  connectV5.js:1:19742
Found next Adunit in queue  connectV5.js:1:19742
New Direct AN ID publisher Integration  connectV5.js:1:19742
Rendering Standard widget : NBzIDXyaTGIG-alRGD80gG0EgZYntzADRCaNSDUQ  connectV5.js:1:19742
RenderJS invoked  connectV5.js:1:19742
AN: Unable to track viewability. Unfriendly Iframe Error  render.v1.js:1:2501
New Publisher Widget loaded successfully  connectV5.js:1:19742
Next widget loading invoked in queue  connectV5.js:1:19742
Adunit processing queue is clear  connectV5.js:1:19742
An unbalanced tree was written using document.write() causing data from the network to be reparsed. For more information https://developer.mozilla.org/en/Optimizing_Your_Pages_for_Speculative_Parsing  232_16_16.html:1
Script from “http://s.xp1.ru4.com/smarttagevent?_o=26476&_t=64691330&_callback=window.SmartTag.jsonpCallbacks.request_0” was blocked because of a disallowed MIME type.  nikki-haley-trumps-accusers-heard
An unbalanced tree was written using document.write() causing data from the network to be reparsed. For more information https://developer.mozilla.org/en/Optimizing_Your_Pages_for_Speculative_Parsing  232_6_16.html:1
An unbalanced tree was written using document.write() causing data from the network to be reparsed. For more information https://developer.mozilla.org/en/Optimizing_Your_Pages_for_Speculative_Parsing  232_16_1.html:1
An unbalanced tree was written using document.write() causing data from the network to be reparsed. For more information https://developer.mozilla.org/en/Optimizing_Your_Pages_for_Speculative_Parsing  232_16_2.html:1
An unbalanced tree was written using document.write() causing data from the network to be reparsed. For more information https://developer.mozilla.org/en/Optimizing_Your_Pages_for_Speculative_Parsing  232_16_6.html:1
An unbalanced tree was written using document.write() causing data from the network to be reparsed. For more information https://developer.mozilla.org/en/Optimizing_Your_Pages_for_Speculative_Parsing  232_6_1.html:1
Content Security Policy: Directive ‘frame-src’ has been deprecated. Please use directive ‘child-src’ instead.  (unknown)
An unbalanced tree was written using document.write() causing data from the network to be reparsed. For more information https://developer.mozilla.org/en/Optimizing_Your_Pages_for_Speculative_Parsing  232_6_6.html:1
This site appears to use a scroll-linked positioning effect. This may not work well with asynchronous panning; see https://developer.mozilla.org/docs/Mozilla/Performance/ScrollLinkedEffects for further details and to join the discussion on related tools and features!  nikki-haley-trumps-accusers-heard
GET 
https://c.disquscdn.com/next/embed/lounge.load.js [HTTP/2.0 404 Not Found 55ms]
The resource from “https://c.disquscdn.com/next/embed/lounge.load.js” was blocked due to MIME type mismatch (X-Content-Type-Options: nosniff).  comments
Any help is appreciated.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
djl47
Posts: 16
Joined: Tue Nov 21, 2017 4:32 am

Re: Noscript Breaks Disqus - again

Post by djl47 »

Doesn't work for me at the link in your post. Disqus works fine for me at Instapundit but not at pjmedia posts outside of Instapundit. Disqus also works when I went to https://blog.disqus.com/disqus-and-zeta
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
djl47
Posts: 16
Joined: Tue Nov 21, 2017 4:32 am

Re: Noscript Breaks Disqus - again

Post by djl47 »

I found the problem. I was getting XSS warning popups on another screen. I cleared those and tried a post at pjmedia and got another XSS warning. I allowed the XSS and Disqus loaded without any further problem.
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
darby
Posts: 5
Joined: Mon Dec 11, 2017 10:13 am

Re: Noscript Breaks Disqus - again

Post by darby »

Getting the same issue the other day. Will try that, thanks!
Mozilla/5.0 (Windows NT 10.0; rv:57.0) Gecko/20100101 Firefox/57.0
possum

Re: Noscript Breaks Disqus - again

Post by possum »

Same problem.

I get no warnings but found it's OK if I turn off XSS sanitisation.

This is v 5.1.8.3 on waterfox 55.2.2
Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.2.2 Waterfox/55.2.2
Buckaroo Bonjovi

Re: Noscript Breaks Disqus - again

Post by Buckaroo Bonjovi »

I'm using TOR which has NoScript built in. Default configuration for everything. I also see Disqus threads hanging when the browser attempts to load them.

Doesn't seem right I should have to disable XSS protection to get it loading. What changed? I noticed that some disqus sites load, but not others. Has there been some political targeting?

I'm not able to post the console log because the "anti-spam filter" blocks my post. I tried several times.
Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0
TalonKarrde
Posts: 12
Joined: Fri May 13, 2011 8:50 pm

Re: Noscript Breaks Disqus - again

Post by TalonKarrde »

Hi,

as this issue seems to persist:

has this problem been recognized as a bug by those in charge of fixing things?
is there an ETA for a fix?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
TalonKarrde
Posts: 12
Joined: Fri May 13, 2011 8:50 pm

Re: Noscript Breaks Disqus - again

Post by TalonKarrde »

djl47 wrote:I found the problem. I was getting XSS warning popups on another screen. I cleared those and tried a post at pjmedia and got another XSS warning. I allowed the XSS and Disqus loaded without any further problem.
I have no idea what you are talking about. What is "another screen", what are "xss popups" and how do you "clear them" ?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
jawz101
Senior Member
Posts: 71
Joined: Sun Jul 10, 2011 11:13 pm

Re: Noscript Breaks Disqus - again

Post by jawz101 »

I, for one, can't stand Disqus. I think it's more on there end that the way they do things basically requires you to revert every protection you have in place. If I mess with referer control it breaks logins, first party isolation breaks logins, blocking 3rd party cookies breaks logins.. .I've never been able to consistently log into a site using Disqus because once I do, I probably cleaned my cookies or toggled a preference back to something else and suddenly I'm back to a broken Disqus login.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
TalonKarrde
Posts: 12
Joined: Fri May 13, 2011 8:50 pm

Re: Noscript Breaks Disqus - again

Post by TalonKarrde »

jawz101 wrote:I, for one, can't stand Disqus. I think it's more on there end that the way they do things basically requires you to revert every protection you have in place.
That is not the point. NoScript has a problem here, evidenced by the fact that deactivating noscript is the only thing that remedies the problem

Whoever is in charge here - please fix that Disqus issue! Disqus is the comments engine behind hundred of large and small web sites.

Right now, noscript users are prevented from participating in internet debates all over the place!
Please fix that!!!
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Pansa
Senior Member
Posts: 318
Joined: Fri Nov 24, 2017 10:30 pm

Re: Noscript Breaks Disqus - again

Post by Pansa »

TalonKarrde wrote:
Right now, noscript users are prevented from participating in internet debates all over the place!
Please fix that!!!
Some are, some are not.
Loading comment chains works fine here (although not in the build you mention, I don't run that).
After allowing both …disqus.com and …disquscdn.com

It shows comments just fine (I guess the 8000+ on that breitbart drat count as "large"?)
The thing with noscript in general is, there is a lot of "user error" that can be experienced, and in those cases, without actually knowing the specific settings of a user, it can't necessarily be established whether there actually IS a bug.
If reproducing behaviour fails, chances are it's the user settings and not the addons fault.

Someone above pointed out that lack of 3rd party cookies interferes (which makes sense because discuss is technically a third party on any given page that embeds it)

The basic problem is, Noscript allows you to mess with webpages. Depending on what you decide more or less. If you decide in a way that conflicts with the websites intend, it will probably not show it in an expected way.
What is "another screen", what are "xss popups" and how do you "clear them" ?
another screen : The other monitor/display device in a dual/multi display setup.

xss popup : a seperate window being created warning you of a cross site scripting call, requiring user input about how to proceed (allow/block once/always)

cross site scripting : a page calling another pages scripts, but not in the regular way properly announcing it, but acting like it is their own script.

clearing them : Making a choice, therefore stopping the pause of loading that script until you allow it (or not).

Which brings us back to settings: If you for instance generally block Xss calls, and don't have them set to "ask me", it won't ask, and thus not create a popup, thus just block the call, which might break something you want to work.

Tldr:
The chance is that it isn't Noscripts fault, but some setting or another that you don't know that you deny something that you want allowed.
Hard to troubleshoot without proper information, and even harder to actually establish as "bug".
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
NRG

Re: Noscript Breaks Disqus - again

Post by NRG »

the solution is very simple:

Open NoScript options and set the XXS pannel adding ^https://disqus.com inside it as in the bottom image:



https://i.postimg.cc/hGJpZ4q3/No-Script-Settings.png
Last edited by barbaz on Sun Jul 07, 2019 5:52 pm, edited 1 time in total.
Reason: fix typo: make suggestion written in post consistent with screenshot
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:56.0) Gecko/20100101 Firefox/56.0 Waterfox/56.2.11
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Noscript Breaks Disqus - again

Post by barbaz »

@NRG While that could be a good solution, please note that it allows every site to XSS disqus.com. Some more info is needed to get a sense of how safe that is.

Could you please open Browser Console (Cmd-Shift-J) and post the NoScript InjectionChecker and NoScript XSS messages associated with breaking Disqus?
(temporarily remove the exception for this)
*Always* check the changelogs BEFORE updating that important software!
-
Capimoska

Re: Noscript Breaks Disqus - again

Post by Capimoska »

NRG wrote: Sun Jul 07, 2019 7:30 am the solution is very simple:

Open NoScript options and set the XXS pannel adding ^https://disqus.com inside it as in the bottom image:



https://i.postimg.cc/hGJpZ4q3/No-Script-Settings.png
Just letting you know, I had the same problem in Firefox 70.0.1 (64) on Windows 7 and NoScript looks completely different, so couldn't do that.
When clicking in the NoScript button "disqus.com" was not even in the list of scripts (neither blocked or allowed).

Had to go to Options>Advanced
Click in "Delete all XSS options" (careful, no confirmation prompted)
And know it works, Disqus (and others) appear in the list and ypu can manually block/unblock them (well, depending on your settings).

Not sure how safe is this, but hope it helps someone.
Last edited by barbaz on Sun Nov 10, 2019 10:23 am, edited 1 time in total.
Reason: kill board-generated link
Mozilla/5.0 (Android 9; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Noscript Breaks Disqus - again

Post by barbaz »

Capimoska wrote: Sun Nov 10, 2019 9:59 am Just letting you know, I had the same problem in Firefox 70.0.1 (64) on Windows 7 and NoScript looks completely different,
Because this thread is about NoScript Classic, while you're using NoScript Webext. Maybe it would be better to discuss NoScript Webext effects on Disqus in a separate thread, to avoid confusion?
Capimoska wrote: Sun Nov 10, 2019 9:59 am Had to go to Options>Advanced
Click in "Delete all XSS options" (careful, no confirmation prompted)
And know it works, Disqus (and others) appear in the list and ypu can manually block/unblock them (well, depending on your settings).

Not sure how safe is this, but hope it helps someone.
It's safe in that it won't compromise your NoScript security. It just means NoScript will prompt you again next time it encounters a possible XSS attempt from any site you previously "Always blocked" or "Always allowed" XSS attempt.
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply