BUG: NoScript causes Firefox to hang when visiting page

[doidy]

Hi, I was trying to get into my online banking, when Firefox kept freezing at the login page (had to manually kill FF, which was totally unresponsive and maxing out one core of my CPU). I tracked the culprit down, and it turned out to be NoScript.

Starting from a new blank profile in FF I installed NoScript (and nothing else), and visited the login page ( https://www.nwolb.com ), and it worked fine! So, I then changed two settings in NoScript, to "Temporarily allow top-level sites by default" and checked the "Base 2nd level Domains" option. When I refreshed the page, bingo!, FF froze as it does with my regular profile. (I use those settings in my usual profile.)

Note: you don't need to bank with my bank to test this out, just visiting the login page is enough to cause the freeze.

Also, if I disable XSS checking within NS, the page works fine.

I'm running FF 40.0.3 on a Linux machine and the latest NoScript 2.6.9.36 from Mozilla addons.

[barbaz]

Yes it's known from several other reports that lately the XSS filter can cause temporary hanging... but is it actually taking any action?
So when this problem occurs, do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)

[doidy]

Thanks for getting back so quickly. Unfortunately I can't post the output as the console freezes when the browser freezes! I'll see if I can get a screen grab tomorrow (it's late here now).

Also, if it is of any help to anyone, as a workaround just changing the "Base 2nd level Domains" (under "Temporarily allow top-level sites by default") option to either "Full Address" or "Full Domains" stops the freezing for me (ETA: while keeping XSS checking on), on that particular page. I've not noticed freezes anywhere else yet.

[barbaz]

Probably because it's something a script - one that isn't on the full domain - is doing, that is making the XSS filter either sanitize something or check it in detail. This might suggest window.name tampering?

[doidy]

OK, so I got a screengrab of the console right before the crash (which wasn't easy):

Code: Select all

https://www.dropbox.com/s/ng03j8gnna8seb1/ns_windowgrab.png

Note: I redacted some info that might be used to cause mischief.

Also, note that this site was working a few days ago with the same version of NS and the same settings, so obviously something at that site has changed.

ETA: I just tried the same page on a different machine running the same version of FF and NS (though a different version of Linux) and got the same crash.

ETA2: Link broke somehow, though it worked earlier, so I put it in code brackets.

[barbaz]

I don't know if those messages are due to the script that's causing the hang or not, but see viewtopic.php?f=7&t=19388

[doidy]

Ah right. I thought that was some sort of security thing (the red rectangle in the screengrab hides my IP address). ETA: I just checked and those lines also appear when it doesn't crash.

Also, I think you're right about the "one that isn't on the full domain", as when I temp allow nwolb.com (in addition to www.nwolb.com) it also causes the freeze.

OK, thanks anyway.

[doidy]

That last line in the screengrab always appears when there is a crash, and it is always the last line. It doesn't appear when it works.

Code: Select all

GET https://online.nwolb.com/*SOME NUMBERS*/*SOME LETTERS*

The numbers and letters are the same every time, but I don't want to say what they are in case they are linked to me in any way. When I type the URL I get a blank page, which has a totally blank page source. Not sure what its for.

[barbaz]

If you block that request outright, does anything change?

NoScript Options > Advanced > ABE > USER, add

Code: Select all

Site ^https?://online\.nwolb\.com/\d+/[A-Za-z]+
Deny

(It would possibly be better if you replace "\d+" with the actual numbers & "[A-Za-z]+" with the actual letters, although it will block the request either way you might potentially block more than desired with the rule as suggested...)

[doidy]

No that also crashed. The console output looks more or less identical except that last line is now missing.

[doidy]

Nailed it!

Added this like above (but removed the other one):

Code: Select all

Site ^https?://chat\.nwolb\.com/nwbpwebassets/bottom\.js
Deny

Page now loads without crashing when I temp allow "nwolb.com".

[barbaz]

Nice.
Thanks for letting us know the solution. I'll take a look at that script & see if I can spot why it's causing problems.

[barbaz]

Well it's just as I thought, this script is doing _something_ with [reading/setting] window.name - but looking through minified code is giving me too much of a headache to figure out exactly what though.

[therube]

I get a prolonged hang, that eventually subsides.

A bunch of these (if applicable in some fashion?):

Code: Select all

Error: about:blank : Unable to run script because scripts are blocked internally.

A pair like this:

Code: Select all

[ABE] <LOCAL> Deny on {GET https://73.129.119.203:17100/NonExistentImage20576.gif <<< https://www.nwolb.com/login.aspx?refererident=B9050394B0C04B3D6C777738601C3AE0A490C98A&cookieid=207725&CookieCheck=2015-09-07T22:38:34 - 3}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny

Code: Select all

[ABE] <LOCAL> Deny on {GET https://127.0.0.1:28635/NonExistentImage23727.gif <<< https://www.nwolb.com/login.aspx?refererident=B9050394B0C04B3D6C777738601C3AE0A490C98A&cookieid=207725&CookieCheck=2015-09-07T22:38:34 - 3}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny

And the domains I'm seeing:

Code: Select all

-liveperson.net
-demdex.net
+adobedtm.com
-73.129.119.203
-127.0.0.1
+nwolb.com

And an IFRAME from doubleclick.net, not shown above.
(<IFRAME> block on my end.)