[RESOLVED] ABE and XSS breaking site's preview function

[Giorgio Maone]

@Tom T.:
regarding the amiright.com thing, that's very strange because the origin is reported same-site with the destination, so technically this is not a cross-site request.
Under these circumstances, you can only get a XSS warning if you changed the noscript.injectionCheck about:config preference values to 3 or above. Is this the case?

I'm still investigating on the web mail stuff...

[therube]

re: noscript.injectionCheck
(I've never fiddled with such parameters)

[Tom T.]

@Tom T.:
regarding the amiright.com thing, that's very strange because the origin is reported same-site with the destination, so technically this is not a cross-site request.
Under these circumstances, you can only get a XSS warning if you changed the noscript.injectionCheck about:config preference values to 3 or above. Is this the case?

I'm still investigating on the web mail stuff...

I've never touched that config either (or heard of it), but just checked, and it is at the default value of 2.

Yahoo Classic Mail just did it again a few minutes ago, this time with different errors. The message had no attachments and was not long, but because it was business-related, it took some time to compose. When trying to "send", it hung forever. XSS gave the same message as before, unsafe reload from auto-save.

Console had about 80 warnings, mostly missing declarations or * declarations, but the red Errors were:

Error: Components.classes['@mozilla.org/updates/timer-manager;1'] has no properties
Source File: file:///C:/Program%20Files/Mozilla%20Firefox/components/nsExtensionManager.js
Line: 3098

and

Error: [Exception... "'SyntaxError: parseJSON' when calling method: [nsIOnReadyStateChangeHandler::handleEvent]" nsresult: "0x8057001c
(NS_ERROR_XPC_JS_THREW_JS_OBJECT)" location: "<unknown>" data: no]

Thanks for investigating. As a work-around, I might compose in a text editor and then paste into email, since it happens only when the message is pending long enough to activate auto-save, I think. I don't want to go back to 1.9.3.3, as I hope this info is useful. Let me know if there is anywhere else I should look, or configurations to check. Thanks again.

LIght bulb: "'@mozilla.org/updates/timer-manager;1'] has no properties"
I have updates disabled, since I'm staying with F2 and usually get dev builds of NS. But why would mozilla updates affect Yahoo mail?

[Giorgio Maone]

Please test out latest development build 1.9.3.8.
It doesn't perform async DNS queries yet (it's very hard to do because Mozilla internal need to be patched on the fly), but contains several optimizations which should greatly reduce, if not eliminate, this problem and possibly the "random hangs" as well.

[therube]

1.9.3.8
Bank of America seems to be running markedly better - though I am also on a faster connection at the moment. Not seeing any Unresponsive Script warnings, though while more prevalent in the past, not consistently reproducible.

[Tom T.]

Please test out latest development build 1.9.3.8.
It doesn't perform async DNS queries yet (it's very hard to do because Mozilla internal need to be patched on the fly), but contains several optimizations which should greatly reduce, if not eliminate, this problem and possibly the "random hangs" as well.

Just saw this. Installed .8 and will report the results over the next day or two. Thanks.

[GµårÐïåñ]

Giorgio, not sure what's going on but I am running .8 and I was on several sites that when I clicked Allow such and such and Untrusted such and such and it refreshes the page, it gives the net:error page and it will not display with refresh no matter what and even the back will result in net:error and the ONLY way to fix it is to close out Fx all together and start it back up again. Not sure what happened but this only happened a while back I forget which of your releases. It was fixed but whatever you did to fix the ABE thing, just started causing the same thing again. Just wanted to tell you in case it helps. It has happened on many pages in the last few hours but the most two recent ones was flexilis.com and ziprealty.com

Now if you put them on permanent trusted/untrusted then when you restart its all good, but if you temp allowed it, then coming back even won't do you any good since as soon as you allow/disallow, boom back to the same square.

[Giorgio Maone]

@GµårÐïåñ:
and does this still happen with latest development build 1.9.3.91?

[GµårÐïåñ]

Not as of this moment, but I will keep an eye open and let you know.

[Tom T.]

I tested the "Preview" function extensively, with multiple reloads, then ran an errand, abandoning the machine in that state for about 25 minutes, then previewed ten more times. No XSS logo, no XSS error. I didn't test the "send" function, because I didn't have any material to send, but both errors had seemed time-dependent. I consider my issue resolved for now. The next time I submit to that site, I'll be sure to take a long time also, but I expect it's fixed.

NS 1.9.3.91 on Fx 2.20

If Guardian et al. report no further issues, I think this topic could be marked as resolved.

[Tom T.]

As per my post about Yahoo Mail, which apparently was due to the same root cause and was fixed in dev build 1.9.3.91, and the lack of further reports from GµårÐïåñ, therube, or anyone else, I'm marking this resolved. Thanks, Giorgio.