Weird reaction at Yahoo

[nagan]

1.9.9.27
I just logged out of yahoo mail and by default their homepage was loaded. I got a screen devouring placeholder which was immediately (shift + click)ed. There was another placeholder I found which did not give a thumbnail effect.(image attached).



Also I found NS giving a xss warning ,which I believe was told to be ignored.(image attached)


And then I find strangely the status bar (alongwith NS ,showIP)etc gone. You can see that too in the first image.

I am not able to replicate that ,but I believe it has something to do with XSS?

[Tom T.]

I've been using Yahoo mail for years, and it used to work fine before they "fixed" it. They keep making "improvements" that foobar things.

I got very tired of the redirection to the home page, although never got your symptoms, because I marked *specifically*

Code: Select all

www.yahoo.com

as Untrusted, while allowing specifically mail.yahoo.com. Obviously, you can't do that if you use some of the features at the home page, but I don't.

I was still getting the annoying redirection, though somewhat less annoying than before. I wanted to get rid of it completely. Drastic solution, use at your own risk (but it works): Navigate to your Hosts file (doesn't matter if you use a Hosts service or not): Windows > system32 > drivers > "etc". Make a backup copy of the HOSTS file, say, by copying it to the Desktop, in case anything goes wrong. Open the Hosts file, either by double-clicking or by right-clicking and open with Notepad or Wordpad.

Note the entry at the top,

Code: Select all

127.0.0.1  localhost

which *must* always be the first entry. Anywhere below that, add

Code: Select all

0.0.0.0  www.yahoo.com

Save and close everything.

Now the computer *cannot* connect directly to yahoo.com. When you exit mail, you'll get the attempted redirection, then a "Can't connect" error message. Click "OK" and go about your browsing business. Annoyance eliminated.

You can still use subdomains of Yahoo: finance.yahoo.com, news.yahoo.com, etc. This is why it's critical to use the full domain (http isn't necessary), http://www.yahoo.com. so that all other domains inside Yahoo are still allowed to connect, and you can allow their scripting if you choose to do so. You lose only that specific page, the home page/portal.

Strong measure, but it works.

[nagan]

Err .I was trying to hint at a probable bad reaction from NS. How did the status bar disappear and the thumbnail -less placeholder?

[Tom T.]

Sorry, the images weren't clear, and "full-sizing" them at imageshack cuts off the bottom of the status bar. I just figured you were as annoyed as I was at Yahoo, and might like a "permanent" fix. Back to the original issues:

Regarding the placeholder, what settings do you have in NS Options > Embeddings:
"Collapse blocked objects" and
"No placeholder for sites marked as untrusted"?

Regarding the XSS message: Could you please open Firefox Tools > Error Console, click "Errors", and copy any red Error messages and paste them here? Also please click "Messages", and post here any messages relating to NoScript. Then I, or someone else, will try to reproduce this. Thanks for your patience.

[Tom T.]

I just removed Yahoo from Hosts file, logged out of Yahoo mail, temporarily allowed everything in the world from Yahoo, etc.
No XSS message, no disappearing icons or any change in statusbar, and got a nice Flash video of a pizza being cut, as well as a little man running back and forth across the screen.

That was on Fx 2.0.0.20. Same version of NS as you.
On Fx 3.5.6, same results (nothing strange or harmful), only difference was no video of a pizza or any other ad. The ad window was blank once, despite whitelisting it in Adblock Original, and one other time, had text names of auto makers.

So other than possibly missing a thumbnail, I can't reproduce any of these. Please give more details on settings, etc. as above. Thanks.