Long page open delays using NatWest Online Banking

[SpooRancher]

Hi -

Sometime in the last month(?) a problem has crept in to NoScript that causes issues with the UK NatWest Bank's online banking pages. You can see this problem without having an account there.

I'm doing this on a Windows 7 64 bit system, using FireFox 40.0.3 and 41.0, NoScript 2.6.9.36 and 2.6.9.37rc1

To reproduce:

1. Open the page http://www.natwest.com/
2. At top right on the page, click the "Log In" link

You'll see the first page asking for credentials appear.

In a few seconds, the tab title text changes to "Connecting ...", and then Windows finds that the Firefox application is not respoding and paints the ghost window. A thread in the Firefox process starts to take almost 100% of one core, and this continues for around 10 seconds.

You won't be able to proceed without an account, but with one you would see that the same behaviour shows on the next page of the login process, and on most of the pages that are then available.

Setting NoScript to permanently allow all of the initial page, and then all of the first credentials page does not make the problem go away. It does go away if NoScript is completely disabled, though.

Thanks

Alan

[barbaz]

first thing to try is disable the XSS filter as a test (this is *not* a solution)
noscript options > advanced > xss, un-check both boxes

if that works, re-enable the xss filter & please check the Browser Console (Ctrl-Shift-J) when this issue happens and post here any messages related to noscript.
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)

[SpooRancher]

Thanks!

OK, with both XSS options off I do not see the blocking behaviour.

With the XSS options on the console log shows me this sequence as we get to the bad place:

Code: Select all

https://rbs.tt.omtrdc.net/m2/rbs/mbox/ajax [HTTP/1.1 200 OK 136ms]
about:blank : Unable to run script because scripts are blocked internally. <unknown>
GET
https://www.google-analytics.com/analytics.js [HTTP/2.0 200 OK 0ms]
downloadable font: download not allowed (font-family: "FontAwesome" style:normal weight:normal stretch:normal src index:1): content blocked source: https://maxcdn.bootstrapcdn.com/font-awesome/4.2.0/fonts/fontawesome-webfont.woff?v=4.2.0 font-awesome.min.css:4:14
downloadable font: download not allowed (font-family: "FontAwesome" style:normal weight:normal stretch:normal src index:2): content blocked source: https://maxcdn.bootstrapcdn.com/font-awesome/4.2.0/fonts/fontawesome-webfont.ttf?v=4.2.0 font-awesome.min.css:4:14
GET
https://assets.adobedtm.com/5165c8c319825f6ec3fb78d0a8dcc1054ab35a3d/s-code-contents-d20ea33e47d8f1f6fd5aa9f443b94a97d8e67e4c.js [HTTP/1.1 200 OK 0ms]
GET
https://server.lon.liveperson.net/hc/48759847/ [HTTP/1.1 200 OK 32ms]
GET
https://server.lon.liveperson.net/visitor/lpdc/48759847/styles-default.css [HTTP/1.1 200 OK 0ms]
GET
https://server.lon.liveperson.net/visitor/lpdc/48759847/styles-natwest.css [HTTP/1.1 200 OK 0ms]
GET
XHR
https://server.lon.liveperson.net/visitor/lpdc/engagements/engagements.view.html [HTTP/1.1 200 OK 0ms]
GET
https://www.google-analytics.com/collect [HTTP/2.0 200 OK 33ms]
GET
https://www.google-analytics.com/collect [HTTP/2.0 200 OK 33ms]
GET
https://sc.natwest.com/b/ss/testrbs/1/JS-1.5-D591/s08137858547030 [HTTP/1.1 200 OK 396ms]
about:blank : Unable to run script because scripts are blocked internally. <unknown>
GET
https://assets.adobedtm.com/5165c8c319825f6ec3fb78d0a8dcc1054ab35a3d/scripts/satellite-55e02a87396535001700055d.js [HTTP/1.1 200 OK 0ms]
[NoScript] Blocking refresh on unfocused tab, about:blank->https://www.nwolb.com/ServiceManagement/Timeout.aspx
NetworkError: A network error occurred. angular.min.js:37:0

Alan

[barbaz]

(I've fixed it for you this time, but please post console messages inside code tags in the future, otherwise the board linkifies a bunch of portions of the messages and will truncate them on editing or preview; plus it's easier to read code tag than a wall of text. Thanks.)


Huh, that's weird, the message from NoScript is from the bgRefresh feature, yet evidently that's nothing to do with your problem...

Try adding this to the XSS exceptions textbox in the XSS options tab (same as above):

Code: Select all

^@https://(?:[^/:]+\.)?natwest\.com/

This allows any natwest subdomain to XSS any site, but seeing that you trust them with your money, I would doubt that's of concern to you...

[SpooRancher]

Doh. Sorry about the formatting.

Hmmm. Well, I added your line to the XSS exceptions list, so it looks like this:

Code: Select all

^https?://([a-z]+)\.google\.(?:[a-z]{1,3}\.)?[a-z]+/(?:search|custom|\1)\?
^https?://([a-z]*)\.?search\.yahoo\.com/search(?:\?|/\1\b)
^https?://[a-z]+\.wikipedia\.org/wiki/[^"<>\?%]+$
^https?://translate\.google\.com/translate_t[^"'<>\?%]+$
^https://secure\.wikimedia\.org/wikipedia/[a-z]+/wiki/[^"<>\?%]+$
^@https://(?:[^/:]+\.)?natwest\.com/

Restarted Firefox, but it doesn't make the problem go away.

Once while trying this one out I saw Firefox put up "Waiting for sr4.liveperson.net" in the status message at bottom left while the browser was hung.

Alan

[therube]

The slowdown appears to be related to:

chat.nwolb.com

Placing that on the Untrusted list seems to work-around the issue.
(But if you needed "chat", suppose it wouldn't work .)


And this seems to be happening a lot, of late, & in particular with banks; bankofamerica, lloydstsb, & now here.

Why?
Is it something to do with 2.6.9.37 or just crap being loaded into "banks".

[barbaz]

bye

[barbaz]

@therube well if test an older NoScript version & the same is needed, it's a site update causing this issues; if downgrading seems to "fix" it then NoScript's XSS filter may need optimization in the scenario...

(IIRC the other situations were involving sites playing with window.name a lot...)

[therube]

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in qp=si=0&e=https%3A%2F%2Fwww.nwolb.com&LSESSIONID=jLd1oKUV4YEhcCaKLxss3zwDpvuSpn%2FbVEiwEXavFtPX08UvP8Fx4cWlZGw%3D&t=xpost&pd=d=JTVCJTdCJTIyaWQlMjIlM0ElMjI2JTIyJTJDJTIyZGF0YSUyMiUzQSU3QiUyMmNpZCUyMiUzQSUyMjYlMjIlMkMlMjJiJTIyJTNBMCUyQyUyMmQlMjIlM0ElMjIlMjU3QiUyNTIyZG9tLmElMjUyMiUyNTNBJTI1NUIlMjU1QjAlMjUyQyUyNTIyY3RsMDBfc2tpcExpbmtzX2N0bDAwX2JlZ2luTGluayUyNTIyJTI1NUQlMjUyQyUyNTVCMSUyNTJDJTI1MjJjdGwwMF9za2lwTGlua3NfY3RsMDBfTWVudUxpbmslMjUyMiUyNTVEJTI1MkMlMjU1QjIlMjUyQyUyNTIyY3RsMDBfc2tpcExpbmtzX2N0bDAwX0NvbnRlbnRMaW5rJTI1MjIlMjU1RCUyNTJDJTI1NUIzJTI1MkMlMjUyMmN0bDAwX2hlYWRlcl9jdGwwMF9IRFJOTElBbmNob3IlMjUyMiUyNTVEJTI1MkMlMjU1QjQlMjUyQyUyNTIyY3RsMDBfaGVhZGVyX2N0bDAwX0hEUk5MSkFuY2hvciUyNTIyJTI1NUQlMjUyQyUyNTVCNSUyNTJDJTI1MjJjdGwwMF9oZWFkZXJfY3RsMDBfSERSTkxLQW5jaG9yJTI1MjIlMjU1RCUyNTJDJTI1NUI2JTI1MkMlMjUyMmN0bDAwX2hlYWRlcl9jdGwwMF9IRFJOTEFBbmNob3IlMjUyMiUyNTVEJTI1MkMlMjU1QjclMjUyQyUyNTIyJTI1MjIlMjU1RCUyNTJDJTI1NUI4JTI1MkMlMjUyMmN0bDAwX2hlYWRlc

Code: Select all

[NoScript XSS]: sanitized window.name, "qp=si%3D0%26e%3Dhttps%253A%252F%252Fwww.nwolb.com%26LSESSIONID%3DjLd1oKUV4YEhcCaKLxss3zwDpvuSpn%252FbVEiwEXavFtPX08UvP8Fx4cWlZGw%253D%26t%3Dxpost&pd=d%3DJTVCJTdCJTIyaWQlMjIlM0ElMjI2JTIyJTJDJTIyZGF0YSUyMiUzQSU3QiUyMmNpZCUyMiUzQSUyMjYlMjIlMkMlMjJiJTIyJTNBMCUyQyUyMmQlMjIlM0ElMjIlMjU3QiUyNTIyZG9tLmElMjUyMiUyNTNBJTI1NUIlMjU1QjAlMjUyQyUyNTIyY3RsMDBfc2tpcExpbmtzX2N0bDAwX2JlZ2luTGluayUyNTIyJTI1NUQlMjUyQyUyNTVCMSUyNTJDJTI1MjJjdGwwMF9za2lwTGlua3NfY3RsMDBfTWVudUxpbmslMjUyMiUyNTVEJTI1MkMlMjU1QjIlMjUyQyUyNTIyY3RsMDBfc2tpcExpbmtzX2N0bDAwX0NvbnRlbnRMaW5rJTI1MjIlMjU1RCUyNTJDJTI1NUIzJTI1MkMlMjUyMmN0bDAwX2hlYWRlcl9jdGwwMF9IRFJOTElBbmNob3IlMjUyMiUyNTVEJTI1MkMlMjU1QjQlMjUyQyUyNTIyY3RsMDBfaGVhZGVyX2N0bDAwX0hEUk5MSkFuY2hvciUyNTIyJTI1NUQlMjUyQyUyNTVCNSUyNTJDJTI1MjJjdGwwMF9oZWFkZXJfY3RsMDBfSERSTkxLQW5jaG9yJTI1MjIlMjU1RCUyNTJDJTI1NUI2JTI1MkMlMjUyMmN0bDAwX2hlYWRlcl9jdGwwMF9IRFJOTEFBbmNob3IlMjUyMiUyNTVEJTI1MkMlMjU1QjclMjUyQyUyNTIyJTI1MjIlMjU1RCUyNTJDJTI1NUI4JTI1MkMlMjUyMmN

Code: Select all

[ABE] <LOCAL> Deny on {GET https://73.212.157.185:25363/NonExistentImage28288.gif <<< https://www.nwolb.com/login.aspx?refererident=D47A190E19E2DB82E82BE4FE8AF8B4B42AFEF87A&cookieid=207684&CookieCheck=2015-09-25T20:31:36 - 11}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny

Code: Select all

[ABE] <LOCAL> Deny on {GET https://127.0.0.1:41029/NonExistentImage11490.gif <<< https://www.nwolb.com/login.aspx?refererident=D47A190E19E2DB82E82BE4FE8AF8B4B42AFEF87A&cookieid=207684&CookieCheck=2015-09-25T20:31:36 - 11}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny

Code: Select all

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://73.212.157.185:60999/NonExistentImage28785.gif. (Reason: CORS request failed).

[barbaz]

1) Look for a fp_ script, and try block it if possible. viewtopic.php?f=7&t=19388
2) This is like the third or fourth thread on this same type of XSS problem...

[therube]

(Just picking a couple...)

2.6.9.36rc2 has the same hang.
2.6.9.27 works fine.

[barbaz]

Move to NoScript Development and slightly edit the title?

[barbaz]

Here's what I found in a search, I could have sworn there was another:
viewtopic.php?f=7&t=21205&p=78474#p78474
viewtopic.php?f=7&t=21192#p78346

[barbaz]

@therube: do the older NS XSS filter get tripped like current NS?

[therube]

I left XSS enabled, and with that:

2.6.9.36rc2 has the same hang.
2.6.9.27 works fine.