ssl.G-A.com required by large quasi-bank login page

[HologramImage]

So http://www.globalcashcard.com has its login page http://cardholder.globalcashcard.com use ssl.google-analytics.com for user login. This Corp isn't a bank so it doesn't have to follow banking laws and can be fast and loose with privacy. Oddly, the NoScript menu shows the blocked ssl.google-analytics.com for just a second, and then it is erased from the user's attention completely. (This 1 second appearance and erasure in the NoScript menu happens on many blocked sub-sites across the interwebs.) Since that erasure occurs from the NoScript menu, it was very difficult for me to find out WTF I couldn't login, and they froze my login account. I called them and got it reset, and then noticed the use of the ssl site by them. I read through your faq, and it appears that if I want google to be my banking privacy protector on the globalcashcard login, I can allow them on that site by this ABE script:

# ssl.google-analytics.com rule
Site https://ssl.google-analytics.com
# the above is shortcut for ssl.google-analytics.com, not *.google-analytics.com
Accept from https://cardholder.globalcashcard.com/
Deny

If I have understood your example in your handy faq. Thank you for that example. It would be nice/great if there was a work-around so as to not use the ssl variant of google analytics. But perhaps goog is creating their ssl sub-site to more forcefully require users to be tracked by goog. Is that possible?

[barbaz]

IIUC you can't log in if you do not allow ssl.google-analytics, and it works if you do?
If so, this is a bug in the surrogate script. You should not "need" to (Temp-)Allow google-analytics ever.
Are you using either NoScript latest development build or NoScript 2.6.9.3?

If your NS is up-to-date, and if checking this isn't going to get your account locked again, could you please post any JS errors (orange) & log messages (light gray) you see in the Browser Console when it fails and when it loads incorrectly? (Ctrl-Shift-J)

Oddly, the NoScript menu shows the blocked ssl.google-analytics.com for just a second, and then it is erased from the user's attention completely. (This 1 second appearance and erasure in the NoScript menu happens on many blocked sub-sites across the interwebs.)

Do you have a URL that doesn't require login to see this?
Does it happen in a clean profile with only NoScript installed and all default settings?

[HologramImage]

I have NoScript version 2.6.9.

I normally don't use development versions of anything as I'm not a proficient programmer.

The anti-spam filter on the forum is erasing even my previews, so I am using a images of the text of the javascript error/log CTRL SHIFT J to see if that helps.

-----------------

This is a screen capture showing the menu from NoScript that has the ssl.g-a.com URL listed:

http://i.imgur.com/WDIGKom.jpg

The ssl.g-a.com link showing there disappears nearly instantly if the menu isn't opened before the page load finishes. Why does the

NoScript add-on remove it (and others on other webpages) from the menu if the webpage has requested the link? It is better to know

what the webpage is trying to do, and see all the links.

-----------------

This image link below is the javascript error/log output from CTRL SHIFT J, of the initially loaded page, before login attempt (page newly loaded before this reply post):

http://i.imgur.com/qj3W6AG.jpg

This is the javascript CTRL SHIFT J, from the tab that I didn't close, when the login failed just before my original top post of this thread:

http://i.imgur.com/yoromW1.jpg
------------------

This is the image link to the text of the URLs for the failed login page and the initial login page. The two URLs are similar.

http://i.imgur.com/yDKe8Fa.jpg

I haven't done the clean profile in FF yet. I do use Bleachbit and CCleaner which wipe a lot of profile info when FF is closed.

[barbaz]

Ghostery has a long history of causing weird issues - if clean profile with only NS works, maybe try disabling Ghostery then updating NoScript to 2.6.9.3?

The following messages may be related

Code: Select all

TypeError: node.hasAttribute is not a function clearHTTPStatus.js:94
TypeError: can't access dead object priv.js:129
generatorInstance is undefined common.jsm:84

Are any of those from the site's scripts?

Unlikely to make a difference, but what if you turn off Automatic Secure Cookies management in NoScript?

Best check will be if it still fails in a clean profile with only NS, that will show for sure if the surrogate has a bug of if your issue is something else.

The anti-spam filter on the forum is erasing even my previews,

Yeah, that is an unfortunate side-effect of serving this forum over HTTPS.

[Thrawn]

The anti-spam filter on the forum is erasing even my previews,

Yeah, that is an unfortunate side-effect of serving this forum over HTTPS.

Does the Lazarus addon help?

[barbaz]

Does the Lazarus addon help?

Honestly I haven't had the time to try it yet...