Browser crash, external domain within another

[Cablestein]

Hello,

When viewing any page on Shopify's blog (example), my browser crashes bad (near freeze), requiring a force-quit. I'm running Firefox 40.0.3 on OSX (10.8) with the NoScript add-on (current).

The browser is crashing before page load is completed, and I'm unable to investigate with NoScript or Firebug.

Through some trial-and-error I was able to identify the culprit domain:
popcornmetricsendpoint.herokuapp.com

This domain was blocked, as I had never visited it before. The script was being loaded from another external domain script (hosted on a CDN), which I may or may not have had 'allowed' either (can't remember right now).

I saw this situation many years ago with the Meetup.com website. They were loading an external script within an iFrame, called only when a user-click happened. It was Google Analytics they were loading twice (dummies), in any case, it crashed the browser running NoScript.


QUESTION: Why didn't NoScript handle this situation as usual? Is it not a standard cross-site script situation?

QUESTION: Is it bad practice for that developer to load a script like that?

If I speak to developers about this, they typically tell me to "Stop using NoScript". I want to be able to tell them "Stop doing weird script loading!!!". To me, NoScript is like a canary in the coal mine.

[barbaz]

I personally would just leave it at that (block the domain & get on with my life), & not bother about it, but...

QUESTION: Why didn't NoScript handle this situation as usual? Is it not a standard cross-site script situation?

QUESTION: Is it bad practice for that developer to load a script like that?

These hangs are not always reproducible, so not sure if we can investigate. So in case we can't, here are some tips for investigating:
- look at the Browser Console (Ctrl-Shift-J) (video capture helps here), and post here any related messages (CSS warnings are never related, so just turn that off)
- find some way to see all the individual scripts from that domain, & if more than one, block one by one with ABE until you find the exact script. (Browser Console (Ctrl-Shift-J) net logging might do)
Then post here the link to said script, or upload its contents to Pastebin & link that - whichever you prefer.

Note: these hangs are usually not caused by how load the script, but the script itself. If the loading were the problem I would think that blocking the script it's trying to load would make it worse.

If I speak to developers about this, they typically tell me to "Stop using NoScript".

OMG, don't listen to those uneducated people. They need to be read the riot act about Web security, for giving undeserving users such stupid advice! Who knows how many people are wide open to all kinds of Web nasties after trying to protect themselves, hitting trouble, receiving this type of reply when they ask about it, and acting on said reply?
Not that I'm going to test it, but judging by that answer, you really have to wonder if their site has some silly vulnerability of some sort? I wouldn't trust them with anything.
Sorry, just had to say, because that is so wrong.

If you can't convince them why NoScript is a necessity (because it really is to those who can handle it), can you just not use their sites and recommend others likewise?

Also it may not be their problem but the fault of a 3rd-party script or library they have no control over, in this case the response you'd get if the webmaster(s) are reasonable would be along the lines of "sorry, not our problem, please contact [vendor] instead".

[barbaz]

Missed that this is in Dev earlier. Moving to NoScript Support as there is no NoScript bug report or RFE here.

[Thrawn]

Just to clarify, does it still crash if NoScript is disabled? If not, then it may be possible to apply a workaround.

[Cablestein]

No, it does not crash when NoScript is disabled.

[Thrawn]

OK, so we can try for a workaround of some kind. However, I haven't been able to reproduce the hang with all scripts blocked on that page, nor by allowing just the top-level domain.

Have you whitelisted shopify.com? What happens if you block it?

[barbaz]

I was under the impression that they were meaning that Allowing the domain mentioned in the OP is how to reproduce the hang, and that they might has Allow Scripts Globally on or something like that. Haven't tried to investigate it myself though, haven't had the chance.