NoScript crashing FireFox on banking site

[jaydear]

So maybe ? you'll be OK with blacklisting: -waf1x.anz.com ?

I'll try that later today and see if we can log in. Thanks for digging down into this problem.

[jaydear]

-waf1x.anz.com is definitely instrumental in the hang.

When I go to anz.com.au (with XSS disabled) NoScript only lists:
-qualtrics.com
-liveperson.net
-demdex.net
+anz.com.au

When I go to the logon page (with XSS disabled) NoScript lists:
-demdex.com
-omtrdc.net
+anz.com
but no sign of:
waf1x.anz.com
mstcl3.anz.com
ctmdx.anz.com
cdn.tt.omtrdc.net
tt.omtrdc.net
australianewzealandb.tt.omtrdc.net
anz.demdex.net

I guess maybe you get a different set of sites because of your location? Anyway, I think for the meantime we'll stick to Opera for our banking and I'll see if I can get my head around RegEx stuff. I wish there was a user-friendly way to deal with this and I also wish the banks didn't make it so hard for ordinary people to protect themselves. Thanks for your help, I appreciate it a lot.

[Thrawn]

I still can't reproduce the hang here. Temp-allowed anz.com and demdex.net, but marked omtrdc.net as untrusted. Loads without any trouble.

[barbaz]

I guess maybe you get a different set of sites because of

... a difference in settings in NoScript Options > Appearance... perhaps therube has "Full Domains" checked & you don't?

[therube]

perhaps therube has "Full Domains" checked

Yes, I did do that, so I could find, see, ###.anz.com, & then not allow (or blacklist) it.

[jaydear]

I still can't reproduce the hang here. Temp-allowed anz.com and demdex.net, but marked omtrdc.net as untrusted. Loads without any trouble.

It'll load, but the hang occurs when you attempt to enter a Customer Registration Number, or in my case, simply place the cursor over that window.

[jaydear]

perhaps therube has "Full Domains" checked

Yes, I did do that, so I could find, see, ###.anz.com, & then not allow (or blacklist) it.

I've always just had Base 2nd level domains selected because I understood that it just shortened displayed addresses by leaving off the "http://www." or "www." bits. At least that's how it looks to me in the Options panel Anyway, I have persevered a bit further and found that if I wait for the hang to time out, it hangs again if I click in the logon window again, but after that hang times out an error window opens with a lot of indecipherable code snippets in it... http://postimg.org/image/j4ubrq149/

[barbaz]

I'd send a jpg, but I can't see how - It's here on my desktop,

Upload it to an image hosting site like postimg or imgur, and then post the link here.

[jaydear]

Done. Edited previous post.

[barbaz]

That error is one symptom of the XSS filter complaining about window.name tampering by bank sites, and actually was not out of place in the other thread (seems it's all part of the same problem)

Try latest development build. If that doesn't work:
1) try this XSS exception

Code: Select all

^@https://waf1x\.anz\.com/

(allow https:\\waf1x.anz.com to XSS any site)
2) if that still doesn't work, try this instead

Code: Select all

^@https://(?:[^/:]+\.)?anz\.com(?:\.au)?/

(allow *all* of anz.com & anz.com.au to XSS any site)

[jaydear]

Installed v2.6.9.39rc1 - no change
Added first RegEx - no change
Removed first RegEx and added second one - Success!

Many thanks, we can now log on without any hint of a hang!

[Thrawn]

I still can't reproduce the hang here. Temp-allowed anz.com and demdex.net, but marked omtrdc.net as untrusted. Loads without any trouble.

It'll load, but the hang occurs when you attempt to enter a Customer Registration Number, or in my case, simply place the cursor over that window.

Nope, no hang here.

Glad you got it fixed, though.

[barbaz]

yw, glad you got it working

While it's probably safe enough given the lack of console messages from the XSS filter in your case, note that that exception is just a work-around. The real fix is for the site to stop messing with window.name, instead use a safer means to pass data around (e.g. XmlHttpRequest/CORS over HTTPS - or, if same-origin will suffice, localStorage/sessionStorage, or perhaps IndexedDB).

[jaydear]

I'm assuming that ANZ is not alone in using this type of coding if the other NS users that have had similar problems are anything to judge by.

[barbaz]

yeah, it indeed seems like there's some one or two widely used scripts or script suites for banks & financial sites that's doing this unsafe behavior.