Capital One 360 Login Blocked
Capital One 360 Login Blocked
Firefox 44.0.2
NoScript 2.9.0.4
Sometime within the past week, Capital One 360 updated their website and changed its login functionality (https://secure.capitalone360.com/myacco ... g/login.vm).
After entering my username, clicking on the the "Continue" button does nothing.
In NoScript, "Temporarily allow all this page" does not help.
In NoScript, "Allow Scripts Globally" does not help.
I downgraded Firefox by two versions but that did not help.
I downgraded NoScript by one point release but that did not help.
Disabling NoScript completely is the only way that I have found to finally be able to login.
I do not know how to determine what Capital One did to their website to cause this problem with NoScript and I do not know what to do with NoScript to work around whatever Capital One did.
There has to be a way to keep NoScript active and be able to log into Capital One 360, as I was able to do before their website, Firefox, and NoScript were all upgraded.
Any suggestions?
NoScript 2.9.0.4
Sometime within the past week, Capital One 360 updated their website and changed its login functionality (https://secure.capitalone360.com/myacco ... g/login.vm).
After entering my username, clicking on the the "Continue" button does nothing.
In NoScript, "Temporarily allow all this page" does not help.
In NoScript, "Allow Scripts Globally" does not help.
I downgraded Firefox by two versions but that did not help.
I downgraded NoScript by one point release but that did not help.
Disabling NoScript completely is the only way that I have found to finally be able to login.
I do not know how to determine what Capital One did to their website to cause this problem with NoScript and I do not know what to do with NoScript to work around whatever Capital One did.
There has to be a way to keep NoScript active and be able to log into Capital One 360, as I was able to do before their website, Firefox, and NoScript were all upgraded.
Any suggestions?
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0
Re: Capital One 360 Login Blocked
Firefox 44.0.2
NoScript 2.7
Windows 8.1
Since I could not edit my post, I post this update as a reply.
Downgrading from NoScript 2.9.0.4 to NoScript 2.7 allows me to login to Capital One 360 without any problems and without changing any of my previous NoScript settings, just as I was able to do before.
Previous versions of NoScript can be found here: https://addons.mozilla.org/en-US/firefo ... /versions/
Downgrading NoScript may not be the best solution but I do not know of any other solution or how to provided needed information to fix the conflict.
NoScript 2.7
Windows 8.1
Since I could not edit my post, I post this update as a reply.
Downgrading from NoScript 2.9.0.4 to NoScript 2.7 allows me to login to Capital One 360 without any problems and without changing any of my previous NoScript settings, just as I was able to do before.
Previous versions of NoScript can be found here: https://addons.mozilla.org/en-US/firefo ... /versions/
Downgrading NoScript may not be the best solution but I do not know of any other solution or how to provided needed information to fix the conflict.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0
Re: Capital One 360 Login Blocked
Signin page, the Continue takes me to Password screen.
Password is accepted & reports, Invalid, which is fine because I have login for Cap1.
So from my end, FF 44.0.1 & NoScript 2.9.0.3 (I'm a bit dated on each it seems) looks like it should work correctly. (At least I'm getting expected responses.)
Password is accepted & reports, Invalid, which is fine because I have login for Cap1.
So from my end, FF 44.0.1 & NoScript 2.9.0.3 (I'm a bit dated on each it seems) looks like it should work correctly. (At least I'm getting expected responses.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:42.0) Gecko/20100101 SeaMonkey/2.39
Re: Capital One 360 Login Blocked
Read viewtopic.php?p=81248#p81248 before downgrading below NoScript 2.9.0.1rc2.billdfixer wrote:Downgrading from NoScript 2.9.0.4 to NoScript 2.7 allows me to login to Capital One 360 without any problems and without changing any of my previous NoScript settings, just as I was able to do before.
Previous versions of NoScript can be found here: https://addons.mozilla.org/en-US/firefo ... /versions/
Downgrading NoScript may not be the best solution but I do not know of any other solution or how to provided needed information to fix the conflict.
*Always* check the changelogs BEFORE updating that important software!
-
Re: Capital One 360 Login Blocked
Based on @therube reply, I upgraded NoScript from 2.7 to 2.9.0.2 and can now login using Firefox 44.0.2. I tried using 2.9.0.3 but the login problem happened again. Obviously, something changed after 2.9.0.2 that causes this login problem on this banking website.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0
Re: Capital One 360 Login Blocked
Yes, downgrading to NS 2.9.0.2 while on Firefox 44.0 is reasonable to do.
This really doesn't sound like that one XSS issue that plagues an oddly massive number of financial sites. That issue didn't "regress" with NS 2.9.0.3.
With NoScript latest development build, when this issue occurs, do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)
This really doesn't sound like that one XSS issue that plagues an oddly massive number of financial sites. That issue didn't "regress" with NS 2.9.0.3.
With NoScript latest development build, when this issue occurs, do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)
*Always* check the changelogs BEFORE updating that important software!
-
Re: Capital One 360 Login Blocked
With NoScript 2.9.0.4, this is what appears as the login page loads:barbaz wrote:Yes, downgrading to NS 2.9.0.2 while on Firefox 44.0 is reasonable to do.
This really doesn't sound like that one XSS issue that plagues an oddly massive number of financial sites. That issue didn't "regress" with NS 2.9.0.3.
With NoScript latest development build, when this issue occurs, do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)
Code: Select all
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: JSESSIONID=B726EDD01511A050ECE081FE5D0C832C; domain=secure.capitalone360.com; path=/myaccount/; HttpOnly; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: DeviceDetails="{Device_Info=WEB, Site_Pref=NORMAL}"; domain=.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: isso_mig=no; domain=.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: BIGipServerpl_secure.capitalone360.com_80=1730193600.20480.0000; domain=secure.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: BIGipServerpl_WA_secure.capitalone360.com_80=2754062528.20480.0000; domain=secure.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: TLTSID=632D79A0F782B1EF5D5E87FF5FF88974; domain=.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: TLTUID=BB4DEB2E218745D1E397389D8377F18F; domain=.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=3070793738.20480.0000; domain=home.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=3070793738.20480.0000; domain=home.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=3070793738.20480.0000; domain=home.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=1107859466.20480.0000; domain=home.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=1107859466.20480.0000; domain=home.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=3070793738.20480.0000; domain=home.capitalone360.com; path=/; Secure
Code: Select all
Key event not available on some keyboard layouts: key="c" modifiers="accel,alt" browser.xul
Key event not available on some keyboard layouts: key="i" modifiers="accel,alt,shift" browser.xul
Key event not available on some keyboard layouts: key="m" modifiers="control,alt" browser.xul
Code: Select all
Use of getPreventDefault() is deprecated. Use defaultPrevented instead. jquery-1.8.3.min.js:2:40351
With NoScript 2.9.0.2 (which DOES allow me to login), this is what appears when I click on the username field (nothing is typed):
Code: Select all
Use of getPreventDefault() is deprecated. Use defaultPrevented instead. jquery-1.8.3.min.js:2:40351
Then, with NoScript 2.9.0.2, this is what appears when I type the first character of a username:
Code: Select all
Key event not available on some keyboard layouts: key="c" modifiers="accel,alt" browser.xul
Key event not available on some keyboard layouts: key="i" modifiers="accel,alt,shift" browser.xul
Key event not available on some keyboard layouts: key="m" modifiers="control,alt" browser.xul
Hopefully there is something here that will lead to a better solution than downgrading.
Last edited by barbaz on Sun Feb 21, 2016 5:18 pm, edited 1 time in total.
Reason: change console messages wrapped in list tags to code tags
Reason: change console messages wrapped in list tags to code tags
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0
Re: Capital One 360 Login Blocked
I find it really odd that Secure Cookies Management is pointed to as the culprit... and I assume that you clear cookies each time, otherwise those messages shouldn't happen (I think). Then again, the changelogs for 2.9.0.3 are incomplete...
Does clearing cookies and disabling Secure Cookies Management (NoScript Options > Advanced > HTTPS > Cookies) let latest development build work here?
Does clearing cookies and disabling Secure Cookies Management (NoScript Options > Advanced > HTTPS > Cookies) let latest development build work here?
*Always* check the changelogs BEFORE updating that important software!
-
Re: Capital One 360 Login Blocked
Yes, Firefox clears cookies on each close and I have been closing and restarting Firefox before each test so testing is clean.barbaz wrote:I find it really odd that Secure Cookies Management is pointed to as the culprit... and I assume that you clear cookies each time, otherwise those messages shouldn't happen (I think). Then again, the changelogs for 2.9.0.3 are incomplete...
Does clearing cookies and disabling Secure Cookies Management (NoScript Options > Advanced > HTTPS > Cookies) let latest development build work here?
Disabling Secure Cookies Management in NoScript 2.9.0.4 does not resolve the problem - i.e. I still cannot login (as with NoScript 2.9.0.2).
The Console output only shows this below (which is reversed of what appears when running NoScript 2.9.0.2 - which works):
This message appears when the username field is clicked on:
Code: Select all
Use of getPreventDefault() is deprecated. Use defaultPrevented instead. jquery-1.8.3.min.js:2:40351
Code: Select all
Key event not available on some keyboard layouts: key="c" modifiers="accel,alt" browser.xul
Key event not available on some keyboard layouts: key="i" modifiers="accel,alt,shift" browser.xul
Key event not available on some keyboard layouts: key="m" modifiers="control,alt" browser.xul
Downgrading to NoScript 2.9.0.2 or completely disabling NoScript 2.9.0.4 are the only work-arounds that I have found so far.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0
Re: Capital One 360 Login Blocked
Ok looks like it's 'whac-a-mole' time. As a test, please disable the following NoScript features, one at a time / only one at once, in this order, until the site works:
1) XSS: NoScript Options > Advanced > XSS, un-check everything
2) ABE: NoScript Options > Advanced > ABE > un-check "Enable ABE"
-> 2a) if that works, try re-enabling ABE and setting about:config > noscript.doNotTrack.enabled to false
3) ClearClick: NoScript Options > Advanced > ClearClick, un-check everything
4) Inclusion type checking: about:config > set noscript.inclusionTypeChecking to false
5) The other XSS filter: about:config > set noscript.xss.checkInclusions to false
6) surrogates: about:config > noscript.surrogate.enabled to false
1) XSS: NoScript Options > Advanced > XSS, un-check everything
2) ABE: NoScript Options > Advanced > ABE > un-check "Enable ABE"
-> 2a) if that works, try re-enabling ABE and setting about:config > noscript.doNotTrack.enabled to false
3) ClearClick: NoScript Options > Advanced > ClearClick, un-check everything
4) Inclusion type checking: about:config > set noscript.inclusionTypeChecking to false
5) The other XSS filter: about:config > set noscript.xss.checkInclusions to false
6) surrogates: about:config > noscript.surrogate.enabled to false
*Always* check the changelogs BEFORE updating that important software!
-
Re: Capital One 360 Login Blocked
Here are my results of the 'whac-a-mole' tests:barbaz wrote:Ok looks like it's 'whac-a-mole' time. As a test, please disable the following NoScript features, one at a time / only one at once, in this order, until the site works:
6) surrogates: about:config > noscript.surrogate.enabled to false
Firefox 44.0.2
NoScript 2.9.0.4
Windows 8.1
I went down the list one-by-one, as instructed. I cleared cookies and cache before performing each test.
What finally worked was changing item 6 to 'false', as instructed.
After that worked, I reset all of the other options back to their original/default settings - I was still able to login to this banking site.
I must say, I do not know enough about NoScript to know if setting surrogates to 'false' will effect other websites or reduce web security in any way. I also do not know how to implement surrogates so this option can be reset to the default of 'true.'
As a side note, I had another computer with Firefox 40.0.2, which I upgraded to NoScript 2.9.0.4 and I also could not login to this banking website - had to downgrade NoScript to 2.9.0.2 to allow login.
I do not know what all of this may mean but I hope that it helps those who do so that I can reset surrogates to 'true' and still be able to login to this banking website.
Thank you for your guidance with this, @barbaz.
Mozilla/5.0 (Windows NT 5.1; rv:44.0) Gecko/20100101 Firefox/44.0
Re: Capital One 360 Login Blocked
Surrogates are designed to make pages work with fewer scripts Allowed, so you'll find browsing without surrogates you need to Allow more sites' scripts than otherwise.
Please try re-enabling surrogates, then changing about:config > noscript.surrogate.ga.replacement to
Does that let it work?
Please try re-enabling surrogates, then changing about:config > noscript.surrogate.ga.replacement to
Code: Select all
(function(){var _0=$S(function()_0),_u=function(){};_0.__noSuchMethod__=_0;('ga'in window)||(ga=_u);window.urchinTracker=window._u||_u;window._gaq=$S({__noSuchMethod__:_0,push:function(f){if(typeof f=='function')f();else if(f&&f.shift&&f[0]in this)this[f.shift()].apply(this,f)},_set:function(a,b){if(typeof b=='function')b()},_link:function(h){if(h)location.href=h},_linkByPost:function(f){if(f&&f.submit)f.submit();return true},_getLinkerUrl:function(u){return u},_trackEvent:_0});window._gat=$S({__noSuchMethod__:function(){return _gaq}})})()
*Always* check the changelogs BEFORE updating that important software!
-
Re: Capital One 360 Login Blocked
Yes, that works - tested on both Windows 8.1 and Windows 7 both with Firefox 44.0.2 and NoScript 2.9.0.4.barbaz wrote:Surrogates are designed to make pages work with fewer scripts Allowed, so you'll find browsing without surrogates you need to Allow more sites' scripts than otherwise.
Please try re-enabling surrogates, then changing about:config > noscript.surrogate.ga.replacement toDoes that let it work?Code: Select all
(function(){var _0=$S(function()_0),_u=function(){};_0.__noSuchMethod__=_0;('ga'in window)||(ga=_u);window.urchinTracker=window._u||_u;window._gaq=$S({__noSuchMethod__:_0,push:function(f){if(typeof f=='function')f();else if(f&&f.shift&&f[0]in this)this[f.shift()].apply(this,f)},_set:function(a,b){if(typeof b=='function')b()},_link:function(h){if(h)location.href=h},_linkByPost:function(f){if(f&&f.submit)f.submit();return true},_getLinkerUrl:function(u){return u},_trackEvent:_0});window._gat=$S({__noSuchMethod__:function(){return _gaq}})})()
If this is a fix, this thread can be marked as solved. If it is just a temporary work-around...?
Thanks, again, for your assistance, @barbaz
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0
Re: Capital One 360 Login Blocked
Fix is to include that in NS by default. I've informed Giorgio.
*Always* check the changelogs BEFORE updating that important software!
-
[RESOLVED] Capital One 360 Login Blocked
barbaz wrote:Fix is to include that in NS by default. I've informed Giorgio.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0