New gmx web interface

[dood_97]

Thanks for this quick update,
Is it possible to add some gmx derivatives address?
Like gmx.fr, gmx.net, caramail.com, caramail.fr...
Would be nice for non-english speaking users of gmx who do not connect through the gmx.com portal.

[Giorgio Maone]

Like gmx.fr, gmx.net, caramail.com, caramail.fr...
Would be nice for non-english speaking users of gmx who do not connect through the gmx.com portal.

Ouch, I wasn't aware of such ramifications
Is an exhaustive list available anywhere?
Could you please provide me with some [NoScript XSS] or [Injection Checker] Error Console (Ctrl+Shift+J) messages like the one reported by the OP?

[dood_97]

I didn't find an exhaustive list, I found same troubles with:

• gmx.co.uk
• gmx.es
• gmx.fr
• gmx.us
• mail.com
• caramail.com
• caramail.fr

Other addresses -> redirect to gmx.com (so ok now) or gmx.net (another portal)

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ##https://$(clientName)-$(dataCenter).gmx.co.uk/login
(function anonymous() {
$(clientName)-$(dataCenter).gmx.co.uk /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Nettoyé téléversement suspicieux vers [https://login.gmx.co.uk/login#.1556788-header-login1-1###DATA###https%3A%2F%2F%24%28clientName%29%2%28dataCenter%29.gmx.co.uk%2Flogin] depuis [https://gmx.co.uk/] : transformé en une simple requête de téléchargement GET.


[NoScript InjectionChecker] JavaScript Injection in ##https://$(clientName)-$(dataCenter).gmx.es/login
(function anonymous() {
$(clientName)-$(dataCenter).gmx.es /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Nettoyé téléversement suspicieux vers [https://login.gmx.es/login#.1556788-header-login1-1###DATA###https%3A%2F%2F%24%28clientName%29-%24%28dataCenter%29.gmx.es%2Flogin] depuis [https://gmx.es/] : transformé en une simple requête de téléchargement GET.


[NoScript InjectionChecker] JavaScript Injection in ##https://$(clientName)-$(dataCenter).gmx.fr/login
(function anonymous() {
$(clientName)-$(dataCenter).gmx.fr /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Nettoyé téléversement suspicieux vers [https://login.gmx.fr/login#.1556788-header-login1-1###DATA###https%3A%2F%2F%24%28clientName%29-%24%28dataCenter%29.gmx.fr%2Flogin] depuis [https://gmx.fr/] : transformé en une simple requête de téléchargement GET.


[NoScript InjectionChecker] JavaScript Injection in ##https://$(clientName)-$(dataCenter).mail.com/login
(function anonymous() {
$(clientName)-$(dataCenter).mail.com /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Nettoyé téléversement suspicieux vers [https://login.mail.com/login#.1556788-header-login1-1###DATA###https%3A%2F%2F%24%28clientName%29-%24%28dataCenter%29.mail.com%2Flogin] depuis [https://mail.com/int/] : transformé en une simple requête de téléchargement GET.


[NoScript InjectionChecker] JavaScript Injection in ##https://$(clientName)-$(dataCenter).caramail.com/login
(function anonymous() {
$(clientName)-$(dataCenter).caramail.com /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Nettoyé téléversement suspicieux vers [https://login.caramail.com/login#.1556788-header-login1-1###DATA###https%3A%2F%2F%24%28clientName%29-%24%28dataCenter%29.caramail.com%2Flogin] depuis [https://caramail.com/] : transformé en une simple requête de téléchargement GET.

[Luigi]

I still have to login twice at times. What should I check?

[Giorgio Maone]

Please try with latest development build 2.6.8.26rc1.
If the problem persists, please recheck your Error Console (Ctrl+Shift+J).

[dood_97]

With 2.6.8.26rc1:

gmx.co.uk

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ##https://$(clientName)-$(dataCenter).gmx.co.uk/login
(function anonymous() {
$(clientName)-$(dataCenter).gmx.co.uk /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Nettoyé téléversement suspicieux vers [https://login.gmx.co.uk/login#.1556788-header-login1-1###DATA###https%3A%2F%2F%24%28clientName%29-%24%28dataCenter%29.gmx.co.uk%2Flogin] depuis [https://www.gmx.co.uk/] : transformé en une simple requête de téléchargement GET.
L'utilisation de « getPreventDefault() » est obsolète. Utiliser « defaultPrevented » à la place.

gmx.es

Code: Select all

L'utilisation de « getPreventDefault() » est obsolète. Utiliser « defaultPrevented » à la place. lib-head-final.js:2
[NoScript InjectionChecker] JavaScript Injection in ##https://$(clientName)-$(dataCenter).gmx.es/login
(function anonymous() {
$(clientName)-$(dataCenter).gmx.es /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Nettoyé téléversement suspicieux vers [https://login.gmx.es/login#.1556788-header-login1-1###DATA###https%3A%2F%2F%24%28clientName%29-%24%28dataCenter%29.gmx.es%2Flogin] depuis [https://www.gmx.es/] : transformé en une simple requête de téléchargement GET.
L'utilisation de « getPreventDefault() » est obsolète. Utiliser « defaultPrevented » à la place.

gmx.fr

Code: Select all

L'utilisation de « getPreventDefault() » est obsolète. Utiliser « defaultPrevented » à la place. lib-head-final.js:2
[NoScript InjectionChecker] JavaScript Injection in ##https://$(clientName)-$(dataCenter).gmx.fr/login
(function anonymous() {
$(clientName)-$(dataCenter).gmx.fr /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Nettoyé téléversement suspicieux vers [https://login.gmx.fr/login#.1556788-header-login1-1###DATA###https%3A%2F%2F%24%28clientName%29-%24%28dataCenter%29.gmx.fr%2Flogin] depuis [https://www.gmx.fr/] : transformé en une simple requête de téléchargement GET.
L'utilisation de « getPreventDefault() » est obsolète. Utiliser « defaultPrevented » à la place. 

gmx.us -> OK
mail.com -> OK

caramail.com

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ##https://$(clientName)-$(dataCenter).gmx.fr/login
(function anonymous() {
$(clientName)-$(dataCenter).gmx.fr /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Nettoyé téléversement suspicieux vers [https://login.gmx.fr/login#.1559608-header-login1-1###DATA###https%3A%2F%2F%24%28clientName%29-%24%28dataCenter%29.gmx.fr%2Flogin] depuis [http://caramail.com/] : transformé en une simple requête de téléchargement GET.
L'utilisation de « getPreventDefault() » est obsolète. Utiliser « defaultPrevented » à la place.

caramail.fr

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ##https://$(clientName)-$(dataCenter).gmx.fr/login
(function anonymous() {
$(clientName)-$(dataCenter).gmx.fr /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Nettoyé téléversement suspicieux vers [https://login.gmx.fr/login#.1556788-header-login1-1###DATA###https%3A%2F%2F%24%28clientName%29-%24%28dataCenter%29.gmx.fr%2Flogin] depuis [http://caramail.fr/] : transformé en une simple requête de téléchargement GET.
L'utilisation de « getPreventDefault() » est obsolète. Utiliser « defaultPrevented » à la place.

You can see those messages even if you don't have an account @gmx when attempting to login, You should normally be redirect to an invalid Email address / password combination but it doesn't because of the cross-site scripting warning, if you want to test.

[Luigi]

Please try with latest development build 2.6.8.26rc1.
If the problem persists, please recheck your Error Console (Ctrl+Shift+J).

I keep having to login twice. I couldn't find anything of interest in the console (after the first login I get redirected to the login page without any error).

Is there anything else I can do?

[Giorgio Maone]

Please check latest development build 2.6.8.27rc1, thanks.

[Luigi]

Please check latest development build 2.6.8.27rc1, thanks.

No change.

I can't always reproduce it, though.

[Luigi]

Thread bump and update: I keep having to login twice, but only on linux (even with the last RC).

[barbaz]

Thread bump and update: I keep having to login twice, but only on linux (even with the last RC).

Next time it fails, please post here any related messages you see in the Browser Console (Ctrl-Shift-J).
(if you don't know what's related, turn off CSS warnings and post whatever is left)

[dood_97]

Same thing here, have to log-in twice (NoScript 2.6.8.29)
first attempt -> go back to gmx page
second: message that I forgot to sign out of my last session.
After no problems to connect until browser restart.

Nothing more significant in the console.
Maybe related to js-ui.portal.de (?)

[Giorgio Maone]

Same thing here, have to log-in twice (NoScript 2.6.8.29)
first attempt -> go back to gmx page
second: message that I forgot to sign out of my last session.
After no problems to connect until browser restart.

Nothing more significant in the console.
Maybe related to js-ui.portal.de (?)

Surely, looking at the console it doesn't seem a XSS-related thing anymore.
Does the problem go away if you disable NoScript?
What if you use "Allow scripts globally"?
What about "Allow all on this page"?

[Luigi]

Thread bump and update: I keep having to login twice, but only on linux (even with the last RC).

Next time it fails, please post here any related messages you see in the Browser Console (Ctrl-Shift-J).
(if you don't know what's related, turn off CSS warnings and post whatever is left)

Here it is:

Code: Select all

POST https://login.gmx.com/login#.###DATA###-header-login1-1 [HTTP/1.1 302 Found 552ms]
POST http://ocsp.thawte.com/ [HTTP/1.1 200 OK 127ms]
GET https://navigator-bs.gmx.com/login [HTTP/1.0 302 Found 470ms]
POST http://ocsp.thawte.com/ [HTTP/1.1 200 OK 78ms]
GET https://navigator-bs.gmx.com/navigator/feature_detection [HTTP/1.0 200 OK 314ms]
GET https://navigator-bs.gmx.com/remindlogout [HTTP/1.0 200 OK 302ms]
GET https://navigator-bs.gmx.com/favicon.ico [HTTP/1.0 302 Found 263ms]
Use of getUserData() or setUserData() is deprecated.  Use WeakMap or element.dataset instead. requestNotifier.js:63
GET https://sec-s.uicdn.com/nav-cdn/navigator-mailint/1.8.3/img/misc/logout_visual_english.png [HTTP/1.1 200 OK 94ms]
GET https://www.gmx.com/favicon.ico [HTTP/1.1 301 Moved Permanently 355ms]
GET https://navigator-bs.gmx.com/navigator/show [HTTP/1.0 200 OK 334ms]
Use of getUserData() or setUserData() is deprecated.  Use WeakMap or element.dataset instead. requestNotifier.js:63
GET https://sec-s.uicdn.com/nav-cdn/navigator-mailint/1.8.3/css//navigator/default_gmx.css [HTTP/1.1 200 OK 58ms]
GET https://sec-s.uicdn.com/nav-cdn/navigator-mailint/1.8.3/img//navigator//loading.gif [HTTP/1.1 200 OK 174ms]
GET https://sec-s.uicdn.com/nav-cdn/shared/jquery/1.7.1/jquery-1.7.1.min.js [HTTP/1.1 200 OK 216ms]
GET https://sec-s.uicdn.com/nav-cdn/navigator-mailint/1.8.3/js//navigator/navigator.min.js [HTTP/1.1 200 OK 225ms]
GET https://sec-s.uicdn.com/nav-cdn/favicon_gmx.ico [HTTP/1.1 200 OK 61ms]
GET https://sec-s.uicdn.com/nav-cdn/navigator-mailint/1.8.3/img//navigator//background_verlauf.png [HTTP/1.1 200 OK 63ms]
GET https://sec-s.uicdn.com/nav-cdn/navigator-mailint/1.8.3/img//navigator//gmx_icon_sprite.png [HTTP/1.1 200 OK 91ms]
GET https://sec-s.uicdn.com/nav-cdn/navigator-mailint/1.8.3/img//navigator//feedback_lasche.png [HTTP/1.1 200 OK 94ms]
GET https://sec-s.uicdn.com/nav-cdn/navigator-mailint/1.8.3/img/p.gif [HTTP/1.1 200 OK 52ms]
GET https://trackbar.navigator-bs.gmx.com/ [HTTP/1.0 200 OK 712ms]
GET https://home.navigator-bs.gmx.com/home/show [HTTP/1.0 200 OK 453ms]
GET https://3c-bs.gmx.com/mail/client/start;jsessionid=###DATA### [HTTP/1.1 200 OK 762ms]
POST http://ocsp.thawte.com/ [HTTP/1.1 200 OK 396ms]
POST http://ocsp.thawte.com/ [HTTP/1.1 200 OK 506ms]
POST http://ocsp.thawte.com/ [HTTP/1.1 200 OK 152ms]
Use of getUserData() or setUserData() is deprecated.  Use WeakMap or element.dataset instead. requestNotifier.js:63
GET https://home.navigator-bs.gmx.com/home/show [HTTP/1.0 200 OK 376ms]
GET https://sec-s.uicdn.com/nav-cdn/home/preloader.gif [HTTP/1.1 200 OK 60ms]
GET https://sec-s.uicdn.com/nav-cdn/shared/jquery/1.8.2/jquery-1.8.2.js [HTTP/1.1 200 OK 190ms]
GET https://sec-s.uicdn.com/nav-cdn/home/preloader-background.png [HTTP/1.1 200 OK 69ms]
GET https://js.ui-portal.de/c/eic/eic.js [HTTP/1.1 200 OK 342ms]
GET https://trackbar.navigator-bs.gmx.com/ [HTTP/1.0 200 OK 510ms]
Use of getUserData() or setUserData() is deprecated.  Use WeakMap or element.dataset instead. requestNotifier.js:63
GET https://js.ui-portal.de/apps/shared/jquery/1.7.1/jquery-1.7.1.min.js [HTTP/1.1 200 OK 583ms]
GET https://js.ui-portal.de/apps/navigator-common/iac/client/3.1.0/iac.client-3.1.0.min.js [HTTP/1.1 200 OK 1024ms]
GET https://js.ui-portal.de/apps/trackbar/2.6.0/trackbar-package.js [HTTP/1.1 200 OK 769ms]
GET https://sec-s.uicdn.com/nav-cdn/navigator-common/iac/client/4.0.0/iac.client-4.0.0.min.js [HTTP/1.1 200 OK 68ms]
Use of getUserData() or setUserData() is deprecated.  Use WeakMap or element.dataset instead. requestNotifier.js:63
GET https://3c-bs.gmx.com/mail/client/start;jsessionid=###DATA### [HTTP/1.1 302 Found 162ms]
GET https://sec-s.uicdn.com/3c-cdn/mail/client/wicket/resource/static-res/en/js/language-vEr-61363937346465.js [HTTP/1.1 200 OK 146ms]
GET https://sec-s.uicdn.com/3c-cdn/mail/client/wicket/resource/static-res/---/css/denselyintenseblue-top-bundle-vEr-3738376564393664.css [HTTP/1.1 200 OK 145ms]
GET https://sec-s.uicdn.com/3c-cdn/mail/client/wicket/resource/static-res/---/css/denselyintenseblue-base-bundle-vEr-3561363434323635.css [HTTP/1.1 200 OK 152ms]
GET https://sec-s.uicdn.com/3c-cdn/mail/client/wicket/resource/static-res/---/css/denselyintenseblue-ua-ff-bundle-vEr-3630616439323563.css [HTTP/1.1 200 OK 156ms]
GET https://sec-s.uicdn.com/3c-cdn/mail/client/wicket/resource/static-res/---/js/head-vEr-6132363136346137.js [HTTP/1.1 200 OK 161ms]
GET https://js.ui-portal.de/apps/shared/jquery/1.8.3/jquery-1.8.3.min.js [HTTP/1.1 200 OK 1124ms]
GET https://sec-s.uicdn.com/3c-cdn/mail/client/wicket/resource/static-res/---/js/core-vEr-3465316631633336.js [HTTP/1.1 200 OK 283ms]
GET https://sec-s.uicdn.com/3c-cdn/mail/client/wicket/resource/static-res/---/js/jqueryui-vEr-6630336635343631.js [HTTP/1.1 200 OK 303ms]
GET https://sec-s.uicdn.com/3c-cdn/mail/client/wicket/resource/static-res/---/js/behavior-vEr-3361383133373438.js [HTTP/1.1 200 OK 375ms]
GET https://sec-s.uicdn.com/3c-cdn/mail/client/wicket/resource/static-res/---/js/external-vEr-33636566343532.js [HTTP/1.1 200 OK 344ms]
Use of getUserData() or setUserData() is deprecated.  Use WeakMap or element.dataset instead. requestNotifier.js:63
GET https://3c-bs.gmx.com/mail/client/iac/restart;jsessionid=###DATA### [HTTP/1.1 200 OK 130ms]
Use of getUserData() or setUserData() is deprecated.  Use WeakMap or element.dataset instead. requestNotifier.js:63
GET https://js.ui-portal.de/apps/navigator-common/iac/eic.iac.mapping.js [HTTP/1.1 200 OK 479ms]
GET https://sec-s.uicdn.com/3c-cdn/mail/client/wicket/resource/static-res/---/mc/img/spinner_blue-cdcfb4b0.gif [HTTP/1.1 200 OK 108ms]
Use of getUserData() or setUserData() is deprecated.  Use WeakMap or element.dataset instead. requestNotifier.js:63
GET https://sec-s.uicdn.com/nav-cdn/home-mailint/1.6.3/js/cockpit/cockpit.min.js [HTTP/1.1 200 OK 91ms]
GET https://img.ui-portal.de/wa/t.gif [0ms]
GET https://img.ui-portal.de/wa/t.gif [0ms]
GET https://img.ui-portal.de/wa/t.gif [0ms]
[NoScript HTTPS] Forced URI https://www.gmx.com/
GET https://www.gmx.com/ [HTTP/1.1 200 OK 252ms]
GET https://home.navigator-bs.gmx.com/home/getmodule/###DATA### [HTTP/1.0 200 OK 388ms]
Use of getPreventDefault() is deprecated.  Use defaultPrevented instead. jquery-1.8.3.min.js:2
Use of getUserData() or setUserData() is deprecated.  Use WeakMap or element.dataset instead. requestNotifier.js:63
GET https://px.wa.ui-portal.de/gmx/gmx-com/s [HTTP/1.1 200 OK 332ms]

[Giorgio Maone]

Are you forcing HTTPS on gmx via NoScript?
What if you don't?