XXS related RequestWatchdog.js hang

[johanlundberg]

Hi, with firefox 3.5.1, Mac OS X, NoScript v 1.9.6.92

I'm visiting a specific web page, a websvn repository page (https, authenticated with certificate), if XSS sanitisation is on, I
can't load the page, and instead I get a firefox dialog asking if I would like to kill a running script or not, namely

Script: chrome://noscript/content/RequestWatchdog.js:1111

Is this expected behaviour?
Adding my page to the XXS whitelist is a solution for me.
The page is driven by websvn 2.2.0, http://www.websvn.info/

thanks for a great plugin!

cheers /j

[Giorgio Maone]

Is it a GET or a POST request?
Can I see the URL (don't care if it's password protected, I don't need to actually access it)?
And BTW, does the request fail or is the page loaded after you stop the script (I'd prefer the former from a safety standpoint, otherwise you could be XSSed as a second stage of a DOS attack on the XSS filter).

[johanlundberg]

Hi, well I don't know what type of request it is.

I'm accessing the page by
https://svnweb.cern.ch/cern/wsvn/atlastdaq
but I doubt this will tell you much... No, the page does not work when not in the XXS whitelist.

[Giorgio Maone]

Does the error console show anything XSS-related after this happens?

[johanlundberg]

yes it does...

[NoScript XSS] xss.reason.Error: XSS checks couldn't complete: DOS attempt? --- Error("XSS checks couldn't complete: DOS attempt?")@:0
()@chrome://noscript/content/RequestWatchdog.js:59
()@chrome://noscript/content/Thread.js:100

[Giorgio Maone]

Thanks.
Couldy you repeat after installing latest development build 1.9.6.94? It should be more verbose about the HTTP request causing this.

[johanlundberg]

I did. Replied in private.

[Bohemian]

I am getting this error also
"A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.

Script: chrome://noscript/content/RequestWatchdog.js:1049"
It looks like it is on the auto refresh of http://www.google.com/ig?hl=en&source=iglk&refresh=1

I have just started getting this error in the last 3-4 days. I was on current noscript version then found this thread and went to the build linked here 1.9.6.94.
Still getting error and error window has same info.

[Giorgio Maone]

@Bohemian:
Does the problem persist with 1.9.8?
If so, could you tell me which gadgets have you got exactly?

[Bohemian]

Looks like 1.9.8 fixed it, no more errors. 1.9.7.9 has the error and I believe the weather radar gadget is causing it.

[Bohemian]

Guess I spoke too soon, It is back again. No other info than the error box. Is there a log somewhere?

[Giorgio Maone]

Nothing in Tools|Error Console?
And is the line number in the error box changed?

[Bohemian]

It takes a few hours now before it will error but here is the error box
A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.

Script: chrome://noscript/content/RequestWatchdog.js:1057
and here is the current error console message.

Error: [Exception... "update.locale file doesn't exist in either the XCurProcD or GreD directories" nsresult: "0x80520012 (NS_ERROR_FILE_NOT_FOUND)" location: "JS frame :: file:///usr/lib/xulrunner-1.9.1.2/components/nsUpdateService.js :: getLocale :: line 549" data: no]
Source File: file:///usr/lib/xulrunner-1.9.1.2/components/nsUpdateService.js
Line: 549

Error: [Exception... "update.locale file doesn't exist in either the XCurProcD or GreD directories" nsresult: "0x80520012 (NS_ERROR_FILE_NOT_FOUND)" location: "JS frame :: file:///usr/lib/xulrunner-1.9.1.2/components/nsUpdateService.js :: getLocale :: line 549" data: no]
Source File: file:///usr/lib/xulrunner-1.9.1.2/components/nsUpdateService.js
Line: 549
Error: Permission denied for <http://talkgadget.google.com> to call method Location.toString on <http://www.google.com>.

Error: no element found
Source File: http://www.google.com/calendar/perf
Line: 1

Error: [Exception... "update.locale file doesn't exist in either the XCurProcD or GreD directories" nsresult: "0x80520012 (NS_ERROR_FILE_NOT_FOUND)" location: "JS frame :: file:///usr/lib/xulrunner-1.9.1.2/components/nsUpdateService.js :: getLocale :: line 549" data: no]
Source File: file:///usr/lib/xulrunner-1.9.1.2/components/nsUpdateService.js
Line: 549
I see alot of 1.9.1.2 but in the addons it says I am using 1.9.8

Edited to take out the format wanings and just left errors

[Giorgio Maone]

1.9.1.2 is the version of XULRunner, the foundation of Firefox.
None of those messages (except the RequestWatchdog one) is from NoScript.
Can you see any [NoScript XSS] line filtering by "Messages" (not "Errors")?

[Bohemian]

In error console if I select message button instead of all it shows an empty screen.