XHR or other ?

Ask for help about NoScript, no registration needed to post
ajay11
Posts: 13
Joined: Sun Sep 30, 2018 9:22 am

XHR or other ?

Post by ajay11 »

Hello, I could really use some help even after having studied all documentation (but not - admitted - every thread of the forum).

I have been using NoSc permanently for many years. NoSc always up-to-date and of course FF up-to date. Over the last years the numbers of sites which do not work or break has slowly increased. Changing the NoSc settings does only help up to some point, and turning NoSc off all the time does not seem a good solution.

So I have tested NoSc against uMatrix to see where things go wrong (using to separate profiles, one with NoSc, one with uMatrix installed and running). It appears to me that many sites which I cannot make work with NoSc do work fine with uMatrix IF AND only IF I enable the loading of the relevant XHR/s. When I go back to the NoSc profile (same site) and enable "other" (since there is no XHR switch) this does not solve the problem. In other words, it appears to me that "other" in NoSc does not cover XHR/s as filtered in uMatrix. But what does ?

What am I missing ? Any help, hint where to look or other appreciated.
Best AJ
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:91.0) Gecko/20100101 Firefox/91.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: XHR or other ?

Post by barbaz »

See the sticky - viewtopic.php?t=26285
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
ajay11
Posts: 13
Joined: Sun Sep 30, 2018 9:22 am

Re: XHR or other ?

Post by ajay11 »

Any chance you would try again ?
My problem is not that I do not understand which checkbox enables or disables which kind of code/object.
My problem is not that I have not tried pretty much any switch on broken sites.

My problem is that I cannot make some sites work with NoSc AT ALL, with any switches on or off (more often recently after they have gotten too many 'robo' request). So I had a feeling (I don't know enough about it) that it is related to certain XHRs. And when I tried with uMatrix, that seemed to be confirmed.

NOW please look at the sticky you mentioned again: do you see the word XHR ?
As far as I can tell (strictly amateur) none of the classes listed covers XHRs.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:95.0) Gecko/20100101 Firefox/95.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: XHR or other ?

Post by barbaz »

ajay11 wrote: Fri Apr 14, 2023 8:39 am please look at the sticky you mentioned again: do you see the word XHR ?
As far as I can tell (strictly amateur) none of the classes listed covers XHRs.
XHR is an abbreviation for "XMLHttpRequest", which yes that word is written there, but was only fully spelled out. Now added the abbreviation explicitly, thanks.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
ajay11
Posts: 13
Joined: Sun Sep 30, 2018 9:22 am

Re: XHR or other ?

Post by ajay11 »

Thank for your patience with this problem and my inadequate description.

Unfortunately your last response only takes us back to the original problem. Since "fetch" is enabled in my "trusted" settings, and the sites described do show problems (of course) after being marked as trusted ... this does altogether not explain at all why going to uMatrix, finding specific XHRs in those problematic sites, and enabling those XHR/s does (not always but often) un-break the site.

First of all I wonder whether it is such a good idea to combine "fetch requests" and XHRs in one NoSc switch (but that is not the subject here),
second I wish NoSc (which I prefer for other reasons) cannot do what uMatrix can do.

Please comment, even if you're just a user who has run into the same problem.
Thanks
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:94.0) Gecko/20100101 Firefox/94.1
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: XHR or other ?

Post by barbaz »

1) Could you please post an example affected URL & what are your NoScript permissions on that page?

2) In the OP, you wrote
ajay11 wrote: Thu Apr 13, 2023 11:47 am I have tested NoSc against uMatrix to see where things go wrong (using to separate profiles, one with NoSc, one with uMatrix installed and running).
Which profile are you using to post here? If your NoScript profile, have you tried (as a test) disabling your User-Agent (UA) string spoofing + clearing cookies/cache/other website data?
ajay11 wrote: Sun Apr 16, 2023 8:33 am I wonder whether it is such a good idea to combine "fetch requests" and XHRs in one NoSc switch
µMatrix does the same - viewtopic.php?p=86548#p86548
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
ajay11
Posts: 13
Joined: Sun Sep 30, 2018 9:22 am

Re: XHR or other ?

Post by ajay11 »

1) Could you please post an example affected URL & what are your NoScript permissions on that page?
I am trying and haven't found a good example yet - one

You are right, I owe you all a good example. It will come, just can't do the tests right now.
2) In the OP, you wrote
ajay11 wrote: Thu Apr 13, 2023 11:47 am I have tested NoSc against uMatrix to see where things go wrong (using to separate profiles, one with NoSc, one with uMatrix installed and running).
Which profile are you using to post here? If your NoScript profile, have you tried (as a test) disabling your User-Agent (UA) string spoofing + clearing cookies/cache/other website data?
No, I cannot log-in to the Noscript forum with my (standard) Noscript profile. When I use the uMatrix profile the informaction site works.
So in a way this is one example, just not a good one because only login is affected.

BTW the problems I have described in my OP occur without ANY other add-ons / extension installed from a clean FF installation.
Last edited by barbaz on Tue Apr 25, 2023 5:22 pm, edited 1 time in total.
Reason: fix bbcode
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:92.0) Gecko/20100101 Firefox/92.1
ajay11
Posts: 13
Joined: Sun Sep 30, 2018 9:22 am

Re: XHR or other ?

Post by ajay11 »

Okay, here is a better example I think as it shows the problem, and it doesn't come with a thousand
different scripts, and more from different sources.

url : www.moho.info (a booking site for hotels)
= how to see the problem ? use FF with NoSc, make sure the options script and fetch are enabled

= what happens ? once you choose a place and dates, the site will open a map (from OSM), and show "nothing", under the NoSc menu you will not see any problems or blocked sources, you cannot even a single hotel for your dates / any dates, the map remains empty

= what happens if you switch to FF with uMatrix ? uMatrix shows an XHR from s3.amazonaws.com which you enable, and the site works. Using NoSc the amazonaws XHR does not even show.

Please let me know what you think, or what I overlooked.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:94.0) Gecko/20100101 Firefox/94.1
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: XHR or other ?

Post by barbaz »

I'm not able to reproduce this. After selecting a place and dates and clicking "Find Now", it gives me one hotel option, and when I click the map pinpoint icon a map pulls out from the right.

Not seeing any sign of s3.amazonaws.com, neither in NoScript nor in other extensions.

At a guess, maybe it has something to do with s3.amazonaws.com being an eTLD? But I don't know any (other) example site that loads a script from the exact domain "s3.amazonaws.com" to check.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
ajay11
Posts: 13
Joined: Sun Sep 30, 2018 9:22 am

Re: XHR or other ?

Post by ajay11 »

I don't wonna appear the wise guy, I am a long-term (but amateur) user of NoSc ... no more.
But what you say seems to confirm my findings. NoSc does block something it is not supposed to block and (and this is more important !) it does not or cannot show that it is blocking it. So the user is unaware of the problem. All he sees is that the site doesn't work. And this is at least annoying.

Do you think you could (if not asking to much time) look into it ?
- create a fresh FF profile (takes 2min)
- start this profile and add nothing but uMatrix
- start the site mentioned and look at what it does ? you are supposed to see that there are many hotels in the list and on the map ...

It would also help to see if you see the AWS XHR coming up.
Thanks !!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:92.0) Gecko/20100101 Firefox/92.1
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: XHR or other ?

Post by barbaz »

ajay11 wrote: Mon May 01, 2023 3:22 pm Do you think you could (if not asking to much time) look into it ?
- create a fresh FF profile (takes 2min)
- start this profile and add nothing but uMatrix
- start the site mentioned and look at what it does ? you are supposed to see that there are many hotels in the list and on the map ...
Same site behavior: 1 hotel in the list, map works and shows the hotel location. Only difference is that µMatrix reported a "script" from s3.amazonaws.com - but it wasn't needed to allow it (in fact, didn't need to change µMatrix settings at all).

Trying this again, but with NoScript added in addition, NoScript too shows s3.amazonaws.com there.

Ah, I had to click "reset filter" on the site to get more hotels listed.

All mentioned site functionality seems working for me without allowing s3.amazonaws.com
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
ajay11
Posts: 13
Joined: Sun Sep 30, 2018 9:22 am

Re: XHR or other ?

Post by ajay11 »

Okay, I think I found a better example.
Please goto https://nextcloud05.webo.cloud/login and see if you get a login prompt with FF/NoSc.
There is only one scripting source shown in the NoSc pop-up menu, and even when I turn off NoSc for that tab, the site doesn't show the login prompt, only complaints about the fact that Java scripts are STILL not enabled. When I open the same site with FF/uM, the login prompt is immediately shown.

Please do not misunderstand my intentions. I am not trying to prove NoSc doesn't work, I love this add-on. But I do still think it does not always work as intended. And finding such behavior is worth the effort.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:92.0) Gecko/20100101 Firefox/92.1
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: XHR or other ?

Post by barbaz »

ajay11 wrote: Wed May 03, 2023 12:52 pm see if you get a login prompt with FF/NoSc
Yes. It shows up as soon as I set webo.cloud to Temp. Trusted.

If you try installing NoScript latest development build in your (working) FF/µMatrix profile, leaving NoScript in completely default configuration except for setting sites to Temp. TRUSTED as needed, do these issues occur for you there?
ajay11 wrote: Wed May 03, 2023 12:52 pm Please do not misunderstand my intentions. I am not trying to prove NoSc doesn't work, I love this add-on. But I do still think it does not always work as intended. And finding such behavior is worth the effort.
No worries. Whether or not this is a universal NoScript issue, it is happening to you. And your intentions come across as you would like it fixed & are willing to put in some effort to get there.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0
ajay11
Posts: 13
Joined: Sun Sep 30, 2018 9:22 am

Re: XHR or other ?

Post by ajay11 »

If you try installing NoScript latest development build in your (working) FF/µMatrix profile, leaving NoScript in completely default configuration except for setting sites to Temp. TRUSTED as needed, do these issues occur for you there?
First I haven't tried to RESET Noscript in the FF/NoSc, I just change the settings when something doesn't work. This is because the default trusted settings open a few doors I like to keep closed (e.g. unrestricted CSS and webgl) unless I really know the site for a long time and trust it for other reasons (this is always by degree).

Now to your proposal, .... working on it ;)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:95.0) Gecko/20100101 Firefox/95.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: XHR or other ?

Post by barbaz »

ajay11 wrote: Sun May 14, 2023 6:53 am the default trusted settings open a few doors I like to keep closed (e.g. unrestricted CSS
There is no point disabling that for TRUSTED sites. A site that is allowed to run active content, especially scripts, won't need to bother with the attacks that setting is designed to protect -
Giorgio Maone wrote: Wed Mar 31, 2021 4:42 pm we assume JavaScript-enabled pages have plenty and more accurate ways to accomplish the same thing,
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0
Post Reply