SOLVED - Problems using No Script with Bank of America site

[lakrsrool]

I've been blaming BofA since they changed their login page, but now I've found out that if I disable the Firefox (FF) Noscript add-on then the BofA website logs-in without any problems.

I'm allowing all scripts in Noscript for BofA site when the NoScript add-on is enabled but the login will hang my computer for between 40-70 seconds every time I login in with NoScript enabled. Every time if I disable the NoScript add-on then FF has no problems at all logging into the BofA site.

Even if I allow all Scripts GLOBALLY (which I don't want to do of course), the login hangup still persists. It seems the only thing that helps is to totally disable the NoScript add-on.

Question: Is there a way to disable NoScript entirely for a specific website, since even if I allow everything I still have problems with the NoScript add-on enabled in the FF browser version 40.0.2?

It seems as long as NoScript is running the BofA website will have problems logging into a customers account. I would like to keep using NoScript but if using NoScript now means waiting this long to login to BofA then it's a problem.

Thanks in advance.

[lakrsrool]

I have just updated FF to the most current version 40.0.3, still the issue persists.

What I will sometimes get is this error: "Script: chrome://browser/content/browser.js:14965", and make no mistake I am only using the Firefox browser.

This error is apparently referring to an internal script "chrome://browser/content/browser.js". Hence, one would surmise that it's possibly an add-on that's causing the problem. Interestingly, NoScript seems to be causing the problem after checking out each add-on to see which add-on might be causing this.

[barbaz]

Check the Browser Console (Ctrl-Shift-J) & see if there any NoScript related messages?
(I'm assuming that you get some type of actual alert pointing you to browser.js, & that's not from the console?)

If none try (just as a test, this is *not* a fix!!!!!) disabling the XSS filter (un-check both boxes under NoScript Options > Advanced > XSS)?

[Thrawn]

Question: Is there a way to disable NoScript entirely for a specific website, since even if I allow everything I still have problems with the NoScript add-on enabled in the FF browser version 40.0.2?

No.

However, individual behind-the-scenes features typically have a way to configure exceptions.

[lakrsrool]

Check the Browser Console (Ctrl-Shift-J) & see if there any NoScript related messages?
(I'm assuming that you get some type of actual alert pointing you to browser.js, & that's not from the console?)

If none try (just as a test, this is *not* a fix!!!!!) disabling the XSS filter (un-check both boxes under NoScript Options > Advanced > XSS)?

I had already disabled the lower XSS setting "Turn cross-site POST requests into dataless GET requests", because some of my bank account web site would not work properly for specific website functions.

The good news here is that disabling the upper setting as well (as you suggested, both) "Sanitize cross-site suspicious requests" so that both are disabled did the trick.

Now the question I have is does this impact ALL websites I visit?

In other words I lose this security across the board so that this and a handful of other sites work properly?

I would hope there is a way to assign this setting in NoScript as such (disabling both settings) so that it can be set to only apply to specific websites as opposed to being set globally for all sites. If the setting has to be a global setting then there is not much use for this specific security if one wants some websites to work properly.

Thanks for the help and of course for answering my follow-up questions.

ADDENDUM: Oh btw, is there anything that I can tell that bank's tech department to change to help it to be more compatible with NoScript? I ask this because this was not a problem before.

[barbaz]

No reason to keep that completely disabled. If there are no messages from NoScript in the Browser Console (Ctrl-Shift-J), you're pretty much looking at trial-and-error of adding an XSS exception starting with

Code: Select all

^@https://

(because the @ means match request origin, no reason to open up your bank site to XSS from everyone but it's fine to trust a bank not to XSS anything; and presumably they're using HTTPS).

If it's not an essential piece of the site (e.g. some have reported this with bluekai), you would make an XSS exception without the @ (to match destination) and then block the matching sites with ABE so that it doesn't matter what the XSS filter does or doesn't do, the end result is the same (request completely blocked).

This tutorial will help you understand regular expressions if you don't already.

ADDENDUM: Oh btw, is there anything that I can tell that bank's tech department to change to help it to be more compatible with NoScript? I ask this because this was not a problem before.

If there is a NoScript XSS message in the console, post it here.
If there is not, I don't know what to suggest you say to them (I don't have any idea at all why the XSS filter is the culprit of hangs sometimes, I'm just going off what people have reported).

Maybe there needs to be the option to log (at debug level) XSS filter processing & (in)actions to a file, for after-the-fact analysis of this stuff - maybe there is a pattern or two in what these sites that cause XSS filter related hangs are doing.

[Thrawn]

The good news here is that disabling the upper setting as well (as you suggested, both) "Sanitize cross-site suspicious requests" so that both are disabled did the trick.

OK, that gives us something to work with. Can you check the Browser Console as previously mentioned? It should contain details of the request that triggered the XSS filter.

Now the question I have is does this impact ALL websites I visit?

Absolutely, which is why barbaz said it's just a test. We can help you write a specific exception to work around it, or depending on the problem, Giorgio might be able to refine the filter. That's where the Browser Console messages are helpful.

ADDENDUM: Oh btw, is there anything that I can tell that bank's tech department to change to help it to be more compatible with NoScript? I ask this because this was not a problem before.

Depends on what they're doing.

[lakrsrool]

OK, I'm trying to post information but I keep getting the "Ooops, something in your posting triggered my antispam filter...
Please use the "Back" button to modify your content and retry." message.

Is there anyway I can post this information another way to provide "console" log information?

Or is there something I can do to make my post work, I've copied it into notepad for now.

Brw, since I'm posting this I wasn't sure where I should be copying the "console" information from. Is the relatively recent data listed toward the TOP or BOTTOM of the log?

I had copies both ends that appeared relevant to me but again can't get past the error message above as mentioned.

[lakrsrool]

OK, I am able to post by removing color and bold to highlight what I found in "console" log. Instead I italicized it.

So looking at the console (I've had XSS settings disabled for awhile now) and scrolling up through the data presumably looking for something that appears to relate to BofA I found the following:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://streak.bankofamerica.com/30306/I3n.js. (Reason: CORS header 'Access-Control-Allow-Origin' does not match '*'). <unknown>

Not knowing if this is helpful I disabled the setting that fixed the issue and logged into web site again.

Now not knowing if the new data is added at the top I'm posting both top and bottom of console log:

TOP:
ReferenceError: showSasiOverlay is not defined signIn.go:119:6
ReferenceError: $ is not defined signIn.go:978:0
ReferenceError: boaMboxCreate is not defined signIn.go2
ReferenceError: $ is not defined signIn.go1
ReferenceError: OOo is not defined signIn.go6
ReferenceError: $ is not defined signIn.go5
ReferenceError: $ is not defined signIn.go4
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://streak.bankofamerica.com/30306/I3n.js. (Reason: CORS header 'Access-Control-Allow-Origin' does not match '*'). <unknown>
ReferenceError: $ is not defined auth-chat.js:3:0
ReferenceError: $ is not defined signIn.go0
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] deploy2.asp
about:blank : Unable to run script because scripts are blocked internally. <unknown>
about:blank : Unable to run script because scripts are blocked internally. <unknown>



BOTTOM WELL SORT OF, THIS WAS A WAYS UP FROM THE BOTTOM BECAUSE THE DATA AT THE BOTTOM END ALL LOOKED THE SAME SO I STARTED WHERE I SAW SOMETHING DIFFERENT THAN USUAL:

Empty string passed to getElementById(). I3n.js:1:0
A form was submitted in the windows-1252 encoding which cannot encode all Unicode characters, so user input may get corrupted. To avoid this problem, the page should be changed so that the form is submitted in the UTF-8 encoding either by changing the encoding of the page itself to UTF-8 or by specifying accept-charset=utf-8 on the form element. cm-jawr.js:1:0
Use of getPreventDefault() is deprecated. Use defaultPrevented instead. vipaa-v2-jawr.js:14:0
Empty string passed to getElementById(). I3n.js:1:0
A form was submitted in the windows-1252 encoding which cannot encode all Unicode characters, so user input may get corrupted. To avoid this problem, the page should be changed so that the form is submitted in the UTF-8 encoding either by changing the encoding of the page itself to UTF-8 or by specifying accept-charset=utf-8 on the form element. cm-jawr.js:1:0
ReferenceError: showSasiOverlay is not defined signIn.go:119:6
ReferenceError: $ is not defined signIn.go:978:0
ReferenceError: boaMboxCreate is not defined signIn.go2
ReferenceError: $ is not defined signIn.go1
ReferenceError: OOo is not defined signIn.go6
ReferenceError: $ is not defined signIn.go5
ReferenceError: $ is not defined signIn.go4
ReferenceError: $ is not defined auth-chat.js:3:0
ReferenceError: $ is not defined signIn.go0
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] images.cardlytics.com
about:blank : Unable to run script because scripts are blocked internally. <unknown>
about:blank : Unable to run script because scripts are blocked internally. <unknown>
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2
about:blank : Unable to run script because scripts are blocked internally. <unknown>
about:blank : Unable to run script because scripts are blocked internally. <unknown>
Empty string passed to getElementById(). signIn.go:1:0
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] LPBofA2

FROM HERE ON OUT IT WAS RELATIVELY THE SAME TO THE END OF THE DATA.

If there is something else I need to do please let me know.

[therube]

> BofA since they changed their login page

URL?

[barbaz]

New messages are added the bottom of the console last time I checked.

ReferenceError: $ is not defined

Is a jquery library not loading? Because I would think that would bork things quite seriously...

[lakrsrool]

> BofA since they changed their login page

URL?

https://secure.bankofamerica.com/login/ ... nScreen.go

But then the computer doesn't lock up until it gets past the login and has loaded the actual account interface page at which time it locks up each time for around 40 seconds.

[barbaz]

(you need to wrap the link in url tags to not have it broken by the board.)

[lakrsrool]

https://secure.bankofamerica.com/login/ ... nScreen.go

[lakrsrool]

If this is of any help, I got this script error JUST ONCE (out of probably logging on several dozen times so it's not a common error) when the page was loading: "Script: chrome://browser/content/browser.js:14965". The warning message was that the script was not responding giving me the choice to wait or stop it as usual.