Website hanging with 2.6.9.34

[bobblebob]

Since the update, if i try to use Halifax online banking - http://www.halifax.co.uk/ (click the "Sign in" button at the top right) the page will hang for a few seconds. Once signed in, it will hang again and i get a Firefox not responding message for about 30 seconds before it kicks back into life.

Ive disabled Noscripts and dont get the website hang so i know its a Noscripts problem. All scripts are allowed on the website

[barbaz]

If it works in 2.6.9.33, try disabling the XSS filter?
Noscript Options > Advanced > XSS, un-check all the checkboxes

(Note: this is NOT a solution, just a test)

[bobblebob]

Yes unchecking those fixes it. Any reason that would be the case? Has something changed since .33?

[barbaz]

This:

v 2.6.9.34rc1
=============================================================
x [XSS] Fixed over-optimized JSON and dots erasure allowing
for a filter bypass in specific (and likely rare)
circumstances (thanks Gareth Heyes for reporting)

Less optimized == more likely to cause exactly the kind of thing you describe.

I have no idea the real fix though, even whether it's something Giorgio can do in NoScript or if some type of XSS exception is the way to go.

[bobblebob]

If i know the website is secure is it ok to add it to the exception list within Noscripts?

[bobblebob]

Infact how would i go about adding it to the exception list within Noscripts?

I notice the ones that are in there by default have alot of smybols that im not sure what they mean or do:

^https?://([a-z]+)\.google\.(?:[a-z]{1,3}\.)?[a-z]+/(?:search|custom|\1)\?
^https?://([a-z]*)\.?search\.yahoo\.com/search(?:\?|/\1\b)
^https?://[a-z]+\.wikipedia\.org/wiki/[^"<>\?%]+$
^https?://translate\.google\.com/translate_t[^"'<>\?%]+$
^https://secure\.wikimedia\.org/wikipedia/[a-z]+/wiki/[^"<>\?%]+$

[barbaz]

If i know the website is secure is it ok to add it to the exception list within Noscripts?

Yep, this can be what the exception list is for. But how can you be sure which site the XSS filter needs exception for? Are you sure it's not requests to some 3rd-party site that NoScript is slow to scan?

In any case, it's probably better to make XSS exception for specific URL and not the whole site (if possible) given that this is your bank site.
Check the sticky for how to make XSS exceptions.

(Sometimes in these cases it's best to add an XSS exception but then block the site outright, so that it doesn't matter what the XSS filter does or doesn't do, the end result is the same. That is, that's what to do if you're not comfortable adding an XSS exception for a site on which the XSS filter is hanging too much.)

Infact how would i go about adding it to the exception list within Noscripts?

I notice the ones that are in there by default have alot of smybols that im not sure what they mean or do:

They're regular expressions; this tutorial might help you understand it if you're interested.

[bobblebob]

Thanks for the info will have a read

[bobblebob]

Just added "https://www.halifax-online.co.uk" to the exception list with no other symbols and seems to have fixed it

[barbaz]

Glad you found that out, but that exception is VERY unsafe, please try this one instead and let us know if it works:

Code: Select all

^@https://www\.halifax-online\.co\.uk/

A "." in a regular expression is a wildcard for any single character, and these regexes don't automatically match from the beginning of the URL - you're allowing XSS to any URL containing the above.

Plus, the addition of the "@" makes it that the XSS filter skips checking any request originating from halifax-online - without the @ you're matching request destinations, meaning you're allowing all sites to XSS your bank site.

[bobblebob]

Thanks that workd for the login page, however once signed in the URL changes to

Code: Select all

https://secure.halifax-online.co.uk

How would i go about adding that to the exception list? I tried the code that you suggested but added the ".secure" to it so that it read

Code: Select all

^@https://www\.secure.halifax-online\.co\.uk/

but that didnt work. Any suggestions?

Cheers

[barbaz]

Try this:

Code: Select all

^@https://(?:secure|www)\.halifax-online\.co\.uk/

[bobblebob]

Thanks. Will try when i finish work this evening and let you know

[bobblebob]

That does indeed work now. Thanks very much for that. So am i ok to leave that exception as it is now as i trust the website?

[barbaz]

np
Yeah, if you trust that site (and since there aren't any actual XSS warnings) then that exception is completely safe.