Noscript blocking Dashlane extension Firefox 50

Ask for help about NoScript, no registration needed to post
idf
Posts: 16
Joined: Tue Feb 05, 2013 9:48 am

Re: Noscript blocking Dashlane extension Firefox 50

Post by idf »

Pardon my intrusion - turns out I'm registered here. Posting this so I'll get notified when thread is updated. Thanks.
Mozilla/5.0 (Windows NT 6.1; rv:50.0) Gecko/20100101 Firefox/50.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: Noscript blocking Dashlane extension Firefox 50

Post by barbaz »

idf wrote:Pardon my intrusion - turns out I'm registered here.
Fixed above :)

Your other questions can only be answered by Giorgio.
*Always* check the changelogs BEFORE updating that important software!
-
pegasus41

Re: Noscript blocking Dashlane extension Firefox 50

Post by pegasus41 »

Another dashlane user with the same problem - started exactly when noscript updated yesterday to 2.9.5.1 (was on ff 49 and now am on ff50 with same result).

tried the patch referenced on page one and it works BUT i don't understand what ABE protection i am giving up with the patch.
for the record, here is my SYSTEM rule box:

"Site 127.0.0.1 localhost
Accept GET from about:blank 127.0.0.1 localhost
# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny"

any help appreciated...
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.59 Safari/537.36
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: Noscript blocking Dashlane extension Firefox 50

Post by barbaz »

pegasus41 wrote: i don't understand what ABE protection i am giving up with the patch.
Actually I'm not sure either :?

A site with scripts enabled might be able to do something with that loophole. Maybe.
It depends on how ABE would see such requests.

However, that sort of shenanigans is unlikely IMO. So if you haven't got Scripts Globally Allowed or the like, I'd say you're probably still safe enough.
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Noscript blocking Dashlane extension Firefox 50

Post by Thrawn »

In a nutshell: because of the behavior of the extension, 'about:blank' (ie the canonical blank page) is trying to access localhost. ABE already permits local sites to access localhost, but about:blank isn't considered to be local.

Theoretically, though, I think it's possible for a page with scripts enabled to create a new blank page and write scripts into it. So I don't think that about:blank should be automatically whitelisted for talking to the LAN. It's unfortunate that Dashlane is working this way. Being an extension and therefore privileged, Dashlane should be able to use other, non-ABE-controlled methods of talking to localhost.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: Noscript blocking Dashlane extension Firefox 50

Post by barbaz »

Hmm, maybe I have the wrong impression here? Dashlane may be operating in a less-than-ideal way, but that doesn't make it Dashlane's fault that NoScript changed behavior...if that's what happened here. Every reporter seems to have got many updates in close succession, so let's really check this for sure.

Can someone who is affected please try -
1) Remove any work-arounds you've added for this issue
2) Downgrade NoScript to 2.9.0.14
Old NoScript @
https://addons.mozilla.org/addon/noscript/versions
*or*
https://noscript.net/feed?c=100&t=a

3) Try Dashlane again. Does it work?
4) Check the Browser Console (Ctrl-Shift-J) for any ABE-related messages

Please let us know the results, thanks.
*Always* check the changelogs BEFORE updating that important software!
-
idf
Posts: 16
Joined: Tue Feb 05, 2013 9:48 am

Re: Noscript blocking Dashlane extension Firefox 50

Post by idf »

I don't think all that testing is necessary based on the timeline I posted previously, but I did it anyway.

I just downgraded NoScript to 2.9.0.14 on FF 50 for Windows, and removed the new ABE rule. Dashlane works perfectly. The only ABE notice in the console is

Code: Select all

[ABE WAN] Detected WAN IP <my public IP address>
which does not seem to be of any significance.

I then updated NoScript back to 2.9.5.1. Dashlane no longer works. All the ABE Deny errors are in the console again:

Code: Select all

[ABE] < LOCAL> Deny on {GET http://127.0.0.1:17896/ <<< about:blank - 1}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
If it's true that about:blank is not local, then my guess is there was a bug or oversight in NoScript that treated it as if it is, and that hole was sealed in 2.9.5. But this exposed the problem with Dashlane - and perhaps there are other extensions that do something similar?
Mozilla/5.0 (Windows NT 6.1; rv:50.0) Gecko/20100101 Firefox/50.0
im3or
Posts: 4
Joined: Wed Nov 23, 2016 7:14 pm

Re: Noscript blocking Dashlane extension Firefox 50

Post by im3or »

idf wrote:If it's true that about:blank is not local, then my guess is there was a bug or oversight in NoScript that treated it as if it is, and that hole was sealed in 2.9.5. But this exposed the problem with Dashlane - and perhaps there are other extensions that do something similar?
Yes, there are. Sticky password is one of them.

I am using this ruleset to get around ABE blocking sticky password extension:

Code: Select all

Site localhost:45872
Accept GET from about:blank localhost:45872
# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: Noscript blocking Dashlane extension Firefox 50

Post by barbaz »

Thanks!
idf wrote:If it's true that about:blank is not local, then my guess is there was a bug or oversight in NoScript that treated it as if it is, and that hole was sealed in 2.9.5.
moz-nullprincipal: URIs are not part of LOCAL either, yet something changed in NoScript 2.9.5 that they too are being blocked by ABE - viewtopic.php?f=10&t=22314

There have been a number of issues like this with NoScript 2.9.5. That's why I'm thinking the new NoScript behavior is the bug.
*Always* check the changelogs BEFORE updating that important software!
-
Guest

Re: Noscript blocking Dashlane extension Firefox 50

Post by Guest »

im3or wrote:
Yes, there are. Sticky password is one of them.

I am using this ruleset to get around ABE blocking sticky password extension:

Code: Select all

Site localhost:45872
Accept GET from about:blank localhost:45872
# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny
Is "45872" specific to sticky password extension? if so, how did you know to use it?
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.59 Safari/537.36
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: Noscript blocking Dashlane extension Firefox 50

Post by barbaz »

Guest wrote:Is "45872" specific to sticky password extension? if so, how did you know to use it?
Guest, you're looking for the Browser Console (Ctrl-Shift-J) - https://noscript.net/abe/users.html

This is off-topic in this thread, so please start a new thread if you have further questions about making ABE exceptions.
*Always* check the changelogs BEFORE updating that important software!
-
muhdashlane
Posts: 1
Joined: Sat Nov 26, 2016 7:02 pm

Dashlane Broken With Update

Post by muhdashlane »

Me and a friend's Dashlane Firefox addon broke a few days ago or so and after testing all of my addons I found disabling Noscript to be the solution. Reinstalling, resetting, or disabling features individually (including parts like ABE, allowing all scripts, etc.) did not seem to fix it. Disabling my other addons had no effect.

Edit: Can confirm that copy pasting:

Site 127.0.0.1 localhost
Accept GET from about:blank 127.0.0.1 localhost

above Abe's system ruleset appears to fix the problem. Thank you!
Last edited by muhdashlane on Sat Nov 26, 2016 8:11 pm, edited 2 times in total.
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: Dashlane Broken With Update

Post by barbaz »

@muhdashlane Merged your post with the existing thread on the problem.
*Always* check the changelogs BEFORE updating that important software!
-
pegasus41

Re: Noscript blocking Dashlane extension Firefox 50

Post by pegasus41 »

Guest wrote:
im3or wrote:
Yes, there are. Sticky password is one of them.

I am using this ruleset to get around ABE blocking sticky password extension:

Code: Select all

Site localhost:45872
Accept GET from about:blank localhost:45872
# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny
Is "45872" specific to sticky password extension? if so, how did you know to use it?
actually i think this may be pertinent to the dashlane issue; what is "45872"?
Inquiring dashlane users may need an equivalent instead of the global allow all 127.0.0.1

Mine is working for now with the global rule quoted in this thread but i am not comfortable not knowing what i am missing.
Dashlane tech support suggested disabling ABE entirely but that is the lazy-man way...
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.59 Safari/537.36
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: Noscript blocking Dashlane extension Firefox 50

Post by barbaz »

pegasus41 wrote:actually i think this may be pertinent to the dashlane issue; what is "45872"?
Inquiring dashlane users may need an equivalent instead of the global allow all 127.0.0.1
No such equivalent AFAIK. Based on the console messages posted earlier, Dashlane appears to use random ports with no obvious pattern.
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply