[RESOLVED] Very odd QUESTION for NoScript experts

[lakrsrool]

I've got a very odd question for NoScript experts to answer.

I was making changes and noticed the lone caret I had in the XSS exceptions list in NoScript and thinking that I had mistakenly left it there I removed it a couple of days ago. Since then my Citibank website returned to the error it was having before I had added some XSS exceptions to "fix" the problem (specifically the last two XSS exceptions you see in the first screen-shot).

Wondering why this error returned and if for some inexplicable reason this lone caret on it's own line had anything to do with the return of the Citibank error I added the lone caret on it's own line back into the NoScript XSS exception list and to my total surprise this one lone caret on it's own separate line inexplicably solve the Citbank problem once again.

Here is what I'm talking about, below every time I would either load or navigate the Citibank website I was getting a page hang (temporary webpage lock) and then would get the following prompt every time:

So I added the last two Exception lines you see in the second screen-shot below to solve this, little did I know for whatever reason that lone caret on the third line was required as well to make it all work (screen-shot below).

So then the bottom line is; what I found was I had to have the caret you see in the screen-shot below all alone on it's own line. I removed it, I guess forgetting that I had apparently previously discovered this required oddity. (I have to say however that I really do wonder actually how in the world I ever discovered this oddity in the first place actually):

I can test this over and over again. Remove the caret pointed out above and the website will hang and display the first screen-shot every time I navigate the site. Add the caret back on that one single line by itself and I can load and navigate the website as much as I want without any of the problem described here if I remove it.

So my question is WHY?

Why to avoid this problem, do I HAVE TO HAVE this caret all by itself on the line below the Citibank XSS exception to get the website work?.....that being the actual XSS exception that is directly related to the problem as you can see by looking in the first screen-shot prompt that includes the actual XSS exception "https://steps.citi.com". But with that it is also the "^" below that is required to be there to make it all work and avoid the citibank problems (hang and prompt you see in the first screen-shot).

Btw, for those interested, if I try to make this change to the post:

Code: Select all

So my question is [size=150]WHY[/size]?

then I trigger the idiotic SPAM filter on this board and the message is cleared and I get this: Ooops, something in your posting triggered my antispam filter...
Please use the "Back" button to modify your content and retry.

Also as we've found out, setting too many color tags will do it as well for some inexplicable reason. I can't understand why this InformAction forums board can't get their act together on this SPAM filter ridiculousness. I would have quite the board where I'm a global moderator if I had to put up with this garbage (and that is along with also the inability to post screen-shots directly). (thumbs-down-icon)

Fortunately to counter this ridiculousness, in general the moderators are thankfully very helpful on this site (so it's not all bad )

[barbaz]

That caret may be effectively disabling the XSS filter altogether? It is a regular expression saying to match the start of a string.

Probably re-check the Browser Console (Ctrl-Shift-J) with that removed and re-write the XSS exceptions based on the messages.
(Provided you're using Pale Moon, given that it does have its own XSS filter some XSS exceptions can be destination of request if we really can't figure out origin of request exception.)

[lakrsrool]

Thanks barbaz for the heads up regarding what a "lonely" caret the way I had it will end up doing.

So by doing the following I've resolved the problem since as of now the website works okay without all the hanging and the strange code prompt I was getting no longer pops-up. Of course all I get from Citibank is that they only support Firefox 43+ (for some odd reason, anything older than that they don't support for FF because of something about any versions as of 42 for whatever reason there was a compatibility issue which seems strange to me). Of course Chrome, no problem (which I don't like using but do so for "testing" purposed now and then. It was a real pain finally getting Chrome to stop updating all the time every day taking up cpu memory doing it). Pale Moon doesn't even have an automatic update (if I'm not mistaken), you will get alerts but the philosophy of Pale Moon is that users should know everything that's going on and decide for themselves what version they want to us which I like. On that note I had set Firefox to not update beyond 42, but FF ignored my setting and updated anyway at some point and I notice that FF continues to ignore my internal FF setting to not do updates (as I really didn't want to go past 43 because of the way they handle add-ons at that point) so there not much better than Chrome except at least I don't notice FF taking up a whole lot of my memory every day like Chrome was before I finally figured a way to stop the Chrome updates. As to FF and their approach to add-ons, at least they provide a preference setting to override their approach so I can keep the add-ons they deem unworthy (unsafe in their collective minds which is ridiculous because all one of them does is launch my default email client so no risk with that of course, it's just their way of maintaining control) which is another thing Pale Moon promises to NEVER do (and I have to say Pale Moon is far quicker than either FF or Chrome as far as performance which is what most people tend to pay attention to as opposed to all this other stuff)

Well anyway, I digress, back to the topic, let's see where was I, oh yea I had said I have resolved the problem and the site works now which was accomplished by the following:

What I did was replace the first XSS exception with the the second XSS exception (referencing previous screen-shot):
^@https://online\.citi\.com/US/JPS/portal/Index\.do
^@https://online\.citi\.com/*

I don't know why I made the XSS exception specific like I did in the first place.

Of course as always based on prior recommendations I've got the following in ABE:
Site .online.citi.com
Accept from .citi.com
Deny

Which I do for every XSS exception I've added to NoScript which comprises now of FIVE BANKS!!! (apparently banks can be problematic)

Site .roll.bankofamerica.com
Accept from .bankofamerica.com
Deny

Site .sso.unionbank.com
Accept from .unionbank.com .excite.com
Deny

Site firstnational.com
Accept from .firstnational.com
Deny

Site .online.citi.com
Accept from .citi.com
Deny

Site.steps.citi.com
Accept from .citi.com
Deny

Site .bankingsso.unionbank.com
Accept from unionbank.com
Deny

Again, many thanks barbaz. (thumbs-up-emoticon)

[barbaz]

You're welcome

[Marty]

Thank you for these fixes for banks. Citibank was hanging up Firefox for about 5 minutes on the home page after logging on. I cut & pasted your solution and its back and working properly.

Thanks!!!

[Thrawn]

Glad it helped you.

By the way, you could probably shorten the ABE rules quite a bit, eg:

Code: Select all

Site .roll.bankofamerica.com .online.citi.com .steps.citi.com .firstnational.com .bankingsso.unionbank.com
Accept from SELF++
Deny

Site .sso.unionbank.com
Accept from .unionbank.com .excite.com
Deny