[RESOLVED] NoScript and IntenseDebate

[Fargus]

Hi,

Some sites using IntenseDebate seem to be be giving me issues with NoScript. The issue started this week.

Issue: Can no longer expand threads/comments and can no longer thumb comments up/down.

Example: URL: http://thechive.com. I've always allowed the following in NoScript: thechive.com, intensedebate.com, wp.com, wordpress.com, gravatar.com, polldaddy.com for the site. IntenseDebate has worked without issue until this week. Now, I can no longer expand comments/threads and the thumbs up/down no longer responds.

I tried temporarily allowing all on the page. Still doesn't work. Tried disabling NoScript add-on in Firefox 7.0.1, IntenseDebate works properly. Installed NoScript version: 2.1.8. My other NoScript settings are out of the box vanilla. Using Windows 7 64 bit.

Any ideas or setting changes I should make in NoScript to get this working again?

Thank you.

[Tom T.]

Wow, that site has a lot of script sources. And unfortunately, the worst example yet of what I call "cascading scripts", or "tiered scripts": Every time you temp-allow all this page, those scripts call yet more. When you allow the new ones, they call still more. This is becoming common, unfortunately, but that site is the worst so far, in my experience.

Finally, I decided to allow scripting globally, rather than repeat this cycle endlessly. (NS Options > General > "Scripts Globally Allowed (dangerous)".
Then, a number of "blocked objects" showed, Again, allowing some brought still more. Just have to keep allowing until they're all gone from the "Blocked Objects" list.

Also, if you use RequestPolicy, all must be temp-allowed.

Eventually, I was able to expand threads and vote.

WARNING: This is a dangerous setting, with all scripts and objects allowed. I always use a "virtual machine" or "virtual browser", running in its own "sandboxed" environment, so that nothing, including malware, can be written to the hard drive. It's all dumped when the browser is closed, which I'd do after leaving a site like that. I would not want to allow so much without such protection. I use Sandboxie, but that is a personal opinion only, not an endorsement. There are many such solutions out there. Investigate and find the one that you like best. Many are either freeware, nagware, or offer a free trial period.

Note: No need to allow the data-miners such as google-analytics.com, quantserve.com, and a few others. By default, NS runs a Surrogate Script when those are blocked, which makes the site happy while preserving what's left of your privacy. The list of surrogate scripts -- sources you can leave blocked -- is found in about:config, type in Filter bar this:

surr

That's enough to auto-complete. The sources listed there can remain blocked.

It's almost worth making a second profile just for this site only, to save the trouble of temp-allowing all that while not letting those things run elsewhere.
Or if you're tech-minded, you can write ABE rules to give the needed permissions for this site.

Please let us know if the site now works for you. Thanks.

[Giorgio Maone]

It's another XSSI false positive:

Code: Select all

Blocking reflected script inclusion origin XSS: 
http://intensedebate.com/idc/js/comment-func.php?blogpostid=113008753&token=Td7365eYTSr9laELMj7KXklyxzqN0nNT&return=true
from 
http://wordpress.com/remote-login.php?action=script_redirect&url_hash=340e72aab56a44613b3413f37e542809&id=intensedebate&url=http://intensedebate.com/idc/js/comment-func.php?blogpostid=113008753&token=Td7365eYTSr9laELMj7KXklyxzqN0nNT&return=true

I really cannot understand why pages nowadays think it's OK loading scripts whose origin is decided by a different domain, but whatever...
I'm gonna change the noscript.xss.checkInclusions.exceptions about:config preference to yimg.com .intensedebate.com in next development build (you can do it right now, if you need to)

[Fargus]

Wow. Thank you very much for the incredibly fast response. I had more or less figured that it was probably a coding change on their end, rather than a radical change in behavior in NoScript. Appreciate you looking into it!

[Giorgio Maone]

Please check latest development build 2.1.9rc3, which should work fine without exceptions too.

[Fargus]

Giorgio, I implemented the exception you suggested in your first response to about:config and it worked. I had tried Tom's suggestions up to 'scripts globally allowed'. I just wasn't brave enough to pull the trigger on that one without sandboxing. Thanks again to you and Tom for taking the time and effort to look at this.

[Tom T.]

I really cannot understand why pages nowadays think it's OK loading scripts whose origin is decided by a different domain, but whatever...

Neither can I, Giorgio ... and look at the problems it causes, both for you and for the burdened users who want to stay protected.

I'm gonna change the noscript.xss.checkInclusions.exceptions about:config preference to yimg.com .intensedebate.com in next development build (you can do it right now, if you need to)

Is there then no way to keep the XSSI protection without continuously adding more exceptions (since this seems to be the ugly trend of the Web), or is it possible in a future build, maybe 3.x, to handle these ill-behaved pages without exceptions?

It's another XSSI false positive

But I received no XSS warning at any time.
I have Notifications > XSS checked. Also, from FAQ 4.3,

and you will get an extra "XSS" menu inside the NoScript contextual menu whenever an XSS attempt is detected, featuring all the actions usually accessed from the notification bar.

So IIUC, XSSI protection does *not* produce the visual warning that XSS provides? If so, could you please add those warnings? (RFE)

I did not think to check for XSS possibilities because of the lack of notification. Now i know to do so in the future, but in this case, it would have saved much time and given me the result you got. Appreciate it, thanks.

I had tried Tom's suggestions up to 'scripts globally allowed'. I just wasn't brave enough to pull the trigger on that one without sandboxing.

Wise choice. I just got tired of the apparently-endless chain of new "temp-allows", and was trying to shortcut through to just make the site work.

It still takes a lot of temp-allowing, but not nearly so much as before -- not to the point of "giving up" and allowing globally.

Thanks again to you and Tom for taking the time and effort to look at this.

You're very welcome, and I'll mark this as resolved. As Giorgio said, it's unfortunate that sites do this kind of thing. (sigh)