Could not logon to Time-Waner/Roadrunner Webmail

[gari]

Even since versions 2.6.9.22 up to stable version 2.6.9.27 (along with development versions in-between), I could no longer login to my Time-Warner/Roadrunner Webmail account, but when I disable NoScript, it will go through. When typing my User Name and Password and press Enter, It did not do anything at all, and just provided blank User Name and Password again. I even tried allowing "twc.com" on the "Whitelist" tab, but still having the same problem. I have used Windows 64-bit Firefox versions 38 beta and now 39.0b7 beta; however, I don't have any such problem logging-in with Internet Explorer 11.0. I have Windows 7 Professional 64-bit. Any work-around? Thanks in advance.

[barbaz]

if nothing is disallowed.. when it fails, do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)

[therube]

> Time-Warner/Roadrunner Webmail

URL?
(Most likely do not need a valid un/pw to see the issue, if it can be reproduced. IOW instead of getting some "invalid user name" message, the screen would just refresh with the fields blanked out.)


> Ever since versions 2.6.9.22

So if you were to revert to something earlier, NoScript 2.6.9.21, that does work?


As a test, create a new, clean Profile.
Install only (current) NoScript.
Test.

[Gari]

Still not working using NoScript version 2.6.9.28rc1 (development build) with Firefox 64-bit beta version 39.0b7. The URL is: https://webmail.twc.com/do/mail/folder/view. Still no message(s) whatsoever upon completing email address and password and pressing on Enter, as if nothing happened. I've tried allowing "webmail.twc.com" on Whitelist tab, but it only allows me to enter "webmail.twc.co" without m on .com. Using Windows 7 Professional 7 64-bit. Below were the ones showing on Browser Consule:

JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead ScriptSurrogate.js:343:198
[NoScript HTTPS] FORCED SECURE on https://webmail.twc.com: JSESSIONID=aaaNiTDduSSJFhEY0y94u; domain=webmail.twc.com; path=/; Secure
[NoScript HTTPS] FORCED SECURE on https://webmail.twc.com: sto-id=AJEAAOGL; domain=webmail.twc.com; path=/; Secure
nsIJSON.encode is deprecated. Please use JSON.stringify instead. ssl-observatory.js:608:0
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead ScriptSurrogate.js:345:209
[NoScript HTTPS] FORCED SECURE on https://webmail.twc.com: sto-id=AJEAAOGL; domain=webmail.twc.com; path=/; Secure
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] submit_cert
[NoScript HTTPS] FORCED SECURE on https://webmail.twc.com: sto-id=AJEAAOGL; domain=webmail.twc.com; path=/; Secure
[NoScript HTTPS] FORCED SECURE on https://webmail.twc.com: JSESSIONID=aaa1jC4gXDTIde3_0y94u; domain=webmail.twc.com; path=/; Secure
[NoScript HTTPS] FORCED SECURE on https://webmail.twc.com: sto-id=AJEAAOGL; domain=webmail.twc.com; path=/; Secure
[NoScript HTTPS] FORCED SECURE on https://webmail.twc.com: JSESSIONID=aaaf6LWMFq9UZ-W-0y94u; domain=webmail.twc.com; path=/; Secure
[NoScript HTTPS] FORCED SECURE on https://webmail.twc.com: sto-id=AJEAAOGL; domain=webmail.twc.com; path=/; Secure
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead ScriptSurrogate.js:345:209
[NoScript HTTPS] FORCED SECURE on https://webmail.twc.com: activeLogin=true; domain=webmail.twc.com; path=/; Secure
[NoScript HTTPS] FORCED SECURE on https://webmail.twc.com: JSESSIONID=aaaOHFLC5coYL5-dfz94u; domain=webmail.twc.com; path=/; Secure
[NoScript HTTPS] FORCED SECURE on https://webmail.twc.com: sto-id=AJEAAOGL; domain=webmail.twc.com; path=/; Secure
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead ScriptSurrogate.js:345:209
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead ScriptSurrogate.js:346:1634
[NoScript HTTPS] FORCED SECURE on https://webmail.twc.com: JSESSIONID=aaaBkwl21bFM4_oRfz94u; domain=webmail.twc.com; path=/; Secure
[NoScript HTTPS] FORCED SECURE on https://webmail.twc.com: sto-id=GGEAAOGL; domain=webmail.twc.com; path=/; Secure
JavaScript 1.6's for-each-in loops are deprecated; consider using ES6 for-of instead ScriptSurrogate.js:345:209
[NoScript HTTPS] FORCED SECURE on https://webmail.twc.com: sto-id=GGEAAOGL; domain=webmail.twc.com; path=/; Secure
NS_ERROR_FAILURE: Failure arg 1 [nsIIOService2.newChannelFromURI2] WindowsPreviewPerTab.jsm:77:0
[NoScript HTTPS] FORCED SECURE on https://webmail.twc.com: sto-id=GGEAAOGL; domain=webmail.twc.com; path=/; Secure


- Thank you for your help.

[Thrawn]

You might be hitting a problem with cookie security.

Try adding the following exclusion to Options-Advanced-HTTPS-Cookies-"Ignore unsafe cookies set by the following sites:"

Code: Select all

.webmail.twc.com

...and if that fixes it, then someone should tell the webmaster that their site is unsafe.

[Gari]

@Thrawn: I added the code you indicated and it works! However, how can I report this unsafe webmail cookies to Time-Warner Cable/Roadrunner webmail? That this means that accessing my webmail account is not safe?
- Thanks Thrawn, and everybody for your help.

[barbaz]

As a workaround, can you force HTTPS on the site and have it still work?
NoScript Options > Advanced > HTTPS > Behavior, add the same string suggested by Thrawn to "Force the following sites to use secure (HTTPS) connections"

[Gari]

@barbaz: As shown by the Browser Console, "https://" was already being used, but anyway, adding that same code provided by Thrawn to force secure https as you suggested works! How can I inform Time-Warner Cable/Roadrunner webmail that their site having unsafe website cookies?
- Again, many thanks to everybody.

[barbaz]

How can I inform Time-Warner Cable/Roadrunner webmail that their site having unsafe website cookies?

I don't know?
You can email them and point them to this thread, no? Or call them?

[Thrawn]

Forcing HTTPS is a good idea, if it works. If automatic cookie management is breaking the site, then something is being accessed over plaintext.

[barbaz]

If automatic cookie management is breaking the site, then something is being accessed over plaintext.

I'm not sure this necessarily follows. I tried out NoScript's automatic secure cookies management for a while, visited a webmail site (not the one in this thread) that had no redirections through plain HTTP nor did it load anything over plain HTTP according to blockable items in my ABP-fork, and the site was completely broken until I disabled automatic secure cookies management and cleared cookies...

[Thrawn]

Well, if the site was really doing nothing at all over HTTP, then it wouldn't make sense for problems to arise from cookies being secured...

If you still have access to that site, can you reproduce the problem? And what happens if HTTPS is forced?

[barbaz]

I still have access to the site but it's not exactly a playground or I would have troubleshot a bit more... maybe I can try again sometime but can't atm.