NoScript causes AVSForum website to hang/crash FF

[rms8]

Hi,

I noticed over the last 2 or so weeks that I can no longer access the web site AVSForums (http://www.avsforum.com/forum/index.php).

When I click my bookmark in FireFox, the website comes up, but it freezes Firefox ("not responding"), then it crashes. After blocking each add-on individually, I discovered that this behavior for this site only happens with NoScript enabled. I added avsforum.com to NoScript's whitelist, but that did not help.

At this time, I have removed Noscript.

Any advise?

Thanks.

[barbaz]

I see a little slowness with Scripts Globally Allowed, but it's not too bad.

Console output -

Code: Select all

Empty string passed to getElementById().  brand:3:8
Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.[Learn More]  index.php
GET 
http://www.advertnetworks.com/://ads.vb-api.com/in/campaign/5 [HTTP/1.1 404 Not Found 59ms]
[NoScript InjectionChecker] JavaScript Injection in b;a.google_image_requests.push(c)};var
(function anonymous() {
b;a.google_image_requests.push(c) /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS]: sanitized window.name, "1-0-8;6740;<html><head></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0"><script src="https://tpc.googlesyndication.com/safeframe/1-0-8/js/ext.js"></script><script>(function(){var g=this,l=function(a,b){var c=a.split("."),d=g;c[0]in d||!d.execScript||d.execScript("var "+c[0]);for(var e;c.length&&(e=c.shift());)c.length||void 0===b?d=d[e]?d[e]:d[e]={}:d[e]=b},m=function(a,b,c){return a.call.apply(a.bind,arguments)},n=function(a,b,c){if(!a)throw Error();if(2<arguments.length){var d=Array.prototype.slice.call(arguments,2);return function(){var c=Array.prototype.slice.call(arguments);Array.prototype.unshift.apply(c,d);return a.apply(b,c)}}return function(){return a.apply(b,arguments)}},p=function(a,b,c){p=Function.prototype.bind&&-1!=Function.prototype.bind.toString().indexOf("native code")?m:n;return p.apply(null,arguments)},q=Date.now||function(){return+new Date};var r=document,s=window;var t=function(a,b){for(var c in a)Ob
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html
adserver.adtechus.com : server does not support RFC 5746, see CVE-2009-3555  (unknown)
adt.pxl.ace.advertising.com : server does not support RFC 5746, see CVE-2009-3555  (unknown)
ums.adtechus.com : server does not support RFC 5746, see CVE-2009-3555  (unknown)
[NoScript InjectionChecker] JavaScript Injection in b;a.google_image_requests.push(c)};var
(function anonymous() {
b;a.google_image_requests.push(c) /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS]: sanitized window.name, "1-0-8;6166;<html>
<head>
</head><body><script src="https://tpc.googlesyndication.com/safeframe/1-0-8/js/ext.js"></script><script>(function(){var g=this,l=function(a,b){var c=a.split("."),d=g;c[0]in d||!d.execScript||d.execScript("var "+c[0]);for(var e;c.length&&(e=c.shift());)c.length||void 0===b?d=d[e]?d[e]:d[e]={}:d[e]=b},m=function(a,b,c){return a.call.apply(a.bind,arguments)},n=function(a,b,c){if(!a)throw Error();if(2<arguments.length){var d=Array.prototype.slice.call(arguments,2);return function(){var c=Array.prototype.slice.call(arguments);Array.prototype.unshift.apply(c,d);return a.apply(b,c)}}return function(){return a.apply(b,arguments)}},p=function(a,b,c){p=Function.prototype.bind&&-1!=Function.prototype.bind.toString().indexOf("native code")?m:n;return p.apply(null,arguments)},q=Date.now||function(){return+new Date};var r=document,s=window;var t=function(a,b){for(var c in a)Object.prototype.hasOwnProperty.call(a,c)&&b.call(null,a[c],c,
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html?n=1
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html?n=1
COX.Service.fetchAds  cdsad.js:10:6534
COX.Util.writeScript  cdsad.js:10:3889
placing as2000001722207  cdsad.js:10:7106
COX.Service.fetchAds  cdsad.js:10:6534
COX.Util.writeScript  cdsad.js:10:3889
placing as2000001696707  cdsad.js:10:7106
js.casalemedia.com:443 uses an invalid security certificate.

The certificate is only valid for the following names:
  *.akamaihd.net, *.akamaihd-staging.net, *.akamaized-staging.net, *.akamaized.net, a248.e.akamai.net  

Error code: <a id="errorCode" title="SSL_ERROR_BAD_CERT_DOMAIN">SSL_ERROR_BAD_CERT_DOMAIN</a>
  (unknown)
[NoScript InjectionChecker] HTML injection:
<script
matches <[^\w<>]*(?:[^<>"'\s]*:)?[^\w<>]*(?:\W*(?:\/[*/][\s\S]*)?s\W*(?:\/[*/][\s\S]*)?c\W*(?:\/[*/][\s\S]*)?r\W*(?:\/[*/][\s\S]*)?i\W*(?:\/[*/][\s\S]*)?p\W*(?:\/[*/][\s\S]*)?t|\W*(?:\/[*/][\s\S]*)?f\W*(?:\/[*/][\s\S]*)?o\W*(?:\/[*/][\s\S]*)?r\W*(?:\/[*/][\s\S]*)?m|\W*(?:\/[*/][\s\S]*)?s\W*(?:\/[*/][\s\S]*)?t\W*(?:\/[*/][\s\S]*)?y\W*(?:\/[*/][\s\S]*)?l\W*(?:\/[*/][\s\S]*)?e|\W*(?:\/[*/][\s\S]*)?s\W*(?:\/[*/][\s\S]*)?v\W*(?:\/[*/][\s\S]*)?g|\W*(?:\/[*/][\s\S]*)?m\W*(?:\/[*/][\s\S]*)?a\W*(?:\/[*/][\s\S]*)?r\W*(?:\/[*/][\s\S]*)?q\W*(?:\/[*/][\s\S]*)?u\W*(?:\/[*/][\s\S]*)?e\W*(?:\/[*/][\s\S]*)?e|(?:\W*(?:\/[*/][\s\S]*)?l\W*(?:\/[*/][\s\S]*)?i\W*(?:\/[*/][\s\S]*)?n\W*(?:\/[*/][\s\S]*)?k|\W*(?:\/[*/][\s\S]*)?o\W*(?:\/[*/][\s\S]*)?b\W*(?:\/[*/][\s\S]*)?j\W*(?:\/[*/][\s\S]*)?e\W*(?:\/[*/][\s\S]*)?c\W*(?:\/[*/][\s\S]*)?t|\W*(?:\/[*/][\s\S]*)?e\W*(?:\/[*/][\s\S]*)?m\W*(?:\/[*/][\s\S]*)?b\W*(?:\/[*/][\s\S]*)?e\W*(?:\/[*/][\s\S]*)?d|\W*(?:\/[*/][\s\S]*)?a\W*(?:\/[*/][\s\S]*)?p\W*(?:\/[*/][\s\S]*)?p\W*(?:\/[*/][\s\S]*)?l\W*(?:\/[*/][\s\S]*)?e\W*(?:\/[*/][\s\S]*)?t|\W*(?:\/[*/][\s\S]*)?p\W*(?:\/[*/][\s\S]*)?a\W*(?:\/[*/][\s\S]*)?r\W*(?:\/[*/][\s\S]*)?a\W*(?:\/[*/][\s\S]*)?m|\W*(?:\/[*/][\s\S]*)?i?\W*(?:\/[*/][\s\S]*)?f\W*(?:\/[*/][\s\S]*)?r\W*(?:\/[*/][\s\S]*)?a\W*(?:\/[*/][\s\S]*)?m\W*(?:\/[*/][\s\S]*)?e|\W*(?:\/[*/][\s\S]*)?b\W*(?:\/[*/][\s\S]*)?a\W*(?:\/[*/][\s\S]*)?s\W*(?:\/[*/][\s\S]*)?e|\W*(?:\/[*/][\s\S]*)?b\W*(?:\/[*/][\s\S]*)?o\W*(?:\/[*/][\s\S]*)?d\W*(?:\/[*/][\s\S]*)?y|\W*(?:\/[*/][\s\S]*)?m\W*(?:\/[*/][\s\S]*)?e\W*(?:\/[*/][\s\S]*)?t\W*(?:\/[*/][\s\S]*)?a|\W*(?:\/[*/][\s\S]*)?i\W*(?:\/[*/][\s\S]*)?m\W*(?:\/[*/][\s\S]*)?a?\W*(?:\/[*/][\s\S]*)?g\W*(?:\/[*/][\s\S]*)?e?|\W*(?:\/[*/][\s\S]*)?v\W*(?:\/[*/][\s\S]*)?i\W*(?:\/[*/][\s\S]*)?d\W*(?:\/[*/][\s\S]*)?e\W*(?:\/[*/][\s\S]*)?o|\W*(?:\/[*/][\s\S]*)?a\W*(?:\/[*/][\s\S]*)?u\W*(?:\/[*/][\s\S]*)?d\W*(?:\/[*/][\s\S]*)?i\W*(?:\/[*/][\s\S]*)?o|\W*(?:\/[*/][\s\S]*)?b\W*(?:\/[*/][\s\S]*)?i\W*(?:\/[*/][\s\S]*)?n\W*(?:\/[*/][\s\S]*)?d\W*(?:\/[*/][\s\S]*)?i\W*(?:\/[*/][\s\S]*)?n\W*(?:\/[*/][\s\S]*)?g\W*(?:\/[*/][\s\S]*)?s|\W*(?:\/[*/][\s\S]*)?s\W*(?:\/[*/][\s\S]*)?e\W*(?:\/[*/][\s\S]*)?t|\W*(?:\/[*/][\s\S]*)?i\W*(?:\/[*/][\s\S]*)?s\W*(?:\/[*/][\s\S]*)?i\W*(?:\/[*/][\s\S]*)?n\W*(?:\/[*/][\s\S]*)?d\W*(?:\/[*/][\s\S]*)?e\W*(?:\/[*/][\s\S]*)?x|\W*(?:\/[*/][\s\S]*)?a\W*(?:\/[*/][\s\S]*)?n\W*(?:\/[*/][\s\S]*)?i\W*(?:\/[*/][\s\S]*)?m\W*(?:\/[*/][\s\S]*)?a\W*(?:\/[*/][\s\S]*)?t\W*(?:\/[*/][\s\S]*)?e|\W*(?:\/[*/][\s\S]*)?t\W*(?:\/[*/][\s\S]*)?e\W*(?:\/[*/][\s\S]*)?m\W*(?:\/[*/][\s\S]*)?p\W*(?:\/[*/][\s\S]*)?l\W*(?:\/[*/][\s\S]*)?a\W*(?:\/[*/][\s\S]*)?t\W*(?:\/[*/][\s\S]*)?e)[^>\w])|['"\s\0/](?:formaction|style|background|src|lowsrc|ping|innerhtml|data-bind|(?:data-)?mv-(?:\w+[\w-]*)|on(?:c(?:o(?:n(?:nect(?:i(?:on(?:statechanged|available)|ng)|ed)?|t(?:rollerchange|extmenu))|m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|py)|h(?:a(?:r(?:ging(?:time)?change|acteristicchanged)|nge)|ecking)|a(?:n(?:play(?:through)?|cel)|(?:llschang|ch)ed|rdstatechange)|u(?:rrent(?:channel|source)changed|echange|t)|l(?:i(?:rmodechange|ck)|ose)|fstatechange)|p(?:o(?:inter(?:l(?:ock(?:change|error)|eave)|o(?:ver|ut)|cancel|enter|down|move|up)|p(?:up(?:hid(?:den|ing)|show(?:ing|n)|positioned)|state))|a(?:i(?:ring(?:con(?:firmation|sent)req|aborted)|nt)|ge(?:hide|show)|(?:st|us)e)|u(?:ll(?:vcard(?:listing|entry)|phonebook)req|sh(?:subscriptionchange)?)|(?:[is]|ending|ty)change|lay(?:ing)?|rogress|hoto)|d(?:e(?:vice(?:p(?:roximity|aired)|(?:orienta|mo)tion|(?:unpaire|foun)d|change|light)|l(?:ivery(?:success|error)|eted))|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed)?)|playpasskeyreq|abled)|aling)|r(?:a(?:g(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)?|in)|op)|ata(?:(?:availabl|chang)e|error)?|urationchange|ownloading|blclick)|m(?:o(?:z(?:(?:network(?:down|up)loa|accesskeynotfoun)d|pointerlock(?:change|error)|(?:orientation|time)change|fullscreen(?:change|error)|key(?:down|up)onplugin)|use(?:l(?:ongtap|eave)|o(?:ver|ut)|enter|wheel|down|move|up))|a(?:p(?:se(?:tmessagestatus|ndmessage)|message(?:slisting|update)|folderlisting|getmessage)req|rk)|essage)|a(?:n(?:imation(?:iteration|cancel|start|end)|tennaavailablechange)|d(?:d(?:sourcebuffer|track)|apter(?:remov|add)ed)|ttribute(?:(?:write|read)req|changed)|u(?:dio(?:process|start|end)|xclick)|b(?:solutedeviceorientation|ort)|(?:2dpstatuschang|ppinstall)ed|fter(?:scriptexecute|print)|ctiv(?:estatechanged|ate)|lerting)|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|o(?:rage(?:areachanged)?|p)|k(?:sessione|comma)nd)|e(?:lect(?:ionchange|start)?|ek(?:ing|ed)|n(?:ding|t)|t)|ou(?:rce(?:(?:clos|end)ed|open)|nd(?:start|end))|c(?:(?:anningstate|ostatus)changed|roll)|pe(?:akerforcedchange|ech(?:start|end))|u(?:ccess|spend|bmit)|how)|r(?:e(?:s(?:ourcetimingbufferfull|u(?:m(?:ing|e)|lt)|ponseprogress|ize|et)|mo(?:ve(?:sourcebuffer|track)|te(?:resume|hel)d)|ad(?:y(?:statechange)?|success|error)|quest(?:mediaplaystatu|progres)s|pea(?:tEven)?t|loadpage|trieving|ceived)|(?:(?:adiost)?ate|t)change|ds(?:dis|en)abled)|Moz(?:S(?:wipeGesture(?:(?:May)?Start|Update|End)?|crolledAreaChanged)|M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|(?:Press)?TapGesture|AfterPaint)|w(?:eb(?:kit(?:Animation(?:Iteration|Start|End)|animation(?:iteration|start|end)|(?:TransitionE|transitione)nd)|socket)|a(?:iting(?:forkey)?|rning)|heel)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|b(?:e(?:fore(?:(?:evicte|unloa)d|p(?:aste|rint)|scriptexecute|c(?:opy|ut))|gin(?:Event)?)|u(?:fferedamountlow|sy)|l(?:ocked|ur)|roadcast|oundary)|v(?:rdisplay(?:(?:presentchang|activat)e|d(?:eactivate|isconnect)|connect)|o(?:ice(?:schanged|change)|lumechange)|ersionchange)|e(?:n(?:ter(?:pincodereq)?|(?:crypt|abl)ed|d(?:Event|ed)?)|m(?:ergencycbmodechange|ptied)|(?:itbroadcas|vic)ted|rror|xit)|t(?:o(?:uch(?:cancel|start|move|end)|ggle)|ransition(?:cancel|start|end|run)|ime(?:update|out)|e(?:rminate|xt)|ypechange)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|ing(?:error|done)?|start)?|stpointercapture)|(?:anguage|evel)change|y)|o(?:(?:(?:rientation|tastatus)chang|(?:ff|n)lin)e|b(?:expasswordreq|solete)|verflow(?:changed)?|pen)|u(?:p(?:date(?:(?:fou|e)nd|ready|start)?|gradeneeded)|s(?:erproximity|sdreceived)|n(?:derflow|load))|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|(?:otpointercaptur|roupchang)e|et)|f(?:ullscreen(?:change|error)|ocus(?:out|in)?|requencychange|(?:inis|etc)h|ailed)|i(?:cc(?:(?:info)?change|(?:un)?detected)|n(?:coming|stall|valid|put))|h(?:(?:fp|id)statuschanged|e(?:adphoneschange|ld)|ashchange|olding)|n(?:o(?:tificationcl(?:ick|ose)|update|match)|ewrdsgroup)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Zoom)|key(?:statuseschange|press|down|up)|(?:AppComman|Loa)d|Request|zoom))[\s\0]*=|<%[\s\S]+[=(][\s\S]+%>
[NoScript XSS]: sanitized window.name, "1-0-8;10166;<!doctype html><html><head><script>var google_casm=["",0,null,0,0];</script></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0"><DIV STYLE="position: absolute; left: 0px; top: 0px; visibility: hidden;"><IMG SRC="https://pagead2.googlesyndication.com/pagead/gen_204?id=xbid&dbm_b=AKAmf-AYHZ54Cf4siHnD_UmC6RzP09gRPBs_wTHM3U6Ne_9WTulTsTePRJOuU0jVQ21wxaWPK4a0WiA4v0wMBQhVN1c5Gy644gFVJz6yDBjAj53KfMZ5tB0" BORDER=0 WIDTH=1 HEIGHT=1 ALT="" STYLE="display:none"></DIV><div><div style="position:relative; display:inline-block;"><div class="GoogleActiveViewClass" id="DfaVisibilityIdentifier_1445171482"><script language='javascript' src="https://googleads.g.doubleclick.net/dbm/ad?dbm_c=AKAmf-APZrYJMB8To9gOzQ0E1Jt0t21hLbzdnREyqDvSLcve6NKDxqith0L5ZcHqAw33BmVb8o2D&dbm_d=AKAmf-CB458A6YjqnZV1Y75HWyh4AvVXeS-TvuS-vZTIIlq5nPFKCHko3naBtEtF4wslBDWvTifKhggu8HHHW7TrEaveGUnyc-tsBnNUZ3iTMykTFvAPCHRmi49Si2-MpQ-m1ojcIfr-VQp3r3w9yU7Gni-hokTjLJER
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html?n=1
http://tpc.googlesyndication.com/safeframe/1-0-8/html/container.html?n=1
pixel.advertising.com : server does not support RFC 5746, see CVE-2009-3555  (unknown)
ox.pxl.ace.advertising.com : server does not support RFC 5746, see CVE-2009-3555  (unknown)

[barbaz]

And the duration of this slowness can be MUCH reduced with the following changes -

1) NoScript Options > Advanced > XSS, add these exceptions

Code: Select all

^@https?://tpc\.googlesyndication\.com/
^https?://tpc\.googlesyndication\.com/

Because those exceptions are NOT SAFE, we need to completely block tpc.googlesyndication. So,

2) NoScript Options > Advanced > ABE > USER, add

Code: Select all

Site tpc.googlesyndication.com
Deny

[rms8]

And the duration of this slowness can be MUCH reduced with the following changes -

1) NoScript Options > Advanced > XSS, add these exceptions

Code: Select all

^@https?://tpc\.googlesyndycation\.com/
^https?://tpc\.googlesyndycation\.com/

Because those exceptions are NOT SAFE, we need to completely block tpc.googlesyndication. So,

2) NoScript Options > Advanced > ABE > USER, add

Code: Select all

Site tpc.googlesyndication.com
Deny

I added the items you suggested above, but no dice. The site still hangs up, then crashes FF with NoScript enabled.

Anything else I can try?

Thanks all

[barbaz]

I notice that the site loads script from facebook.net. Does it help if, additionally, you Mark facebook.net as Untrusted?

[rms8]

I notice that the site loads script from facebook.net. Does it help if, additionally, you Mark facebook.net as Untrusted?

How do I add "facebook.net" to the Untrusted?

[barbaz]

NoScript menu > Untrusted > Mark facebook.net as Untrusted

[Guest]

NoScript menu > Untrusted > Mark facebook.net as Untrusted

A bit unrelated, this solves a similar problem with Letterboxd. Going to film page would case FF to hang/crash when NoScript is enabled AND FF is not in Private mode. Thanks.

[trice001]

thanks