[Fixed] Guardian page causes 100% CPU Usage, UI Lockup

Bug reports and enhancement requests
Post Reply
KonomiKitten
Posts: 11
Joined: Mon Mar 19, 2018 6:30 am

[Fixed] Guardian page causes 100% CPU Usage, UI Lockup

Post by KonomiKitten »

The following results in Firefox UI becoming unresponsive and 100% CPU usage for said tab, disabling NoScript makes Firefox behave as expected.

Page:

Code: Select all

https://www.theguardian.com/public-leaders-network/2014/nov/06/ten-public-transport-myths-busted
Firefox Version:

Code: Select all

60.0.2
Firefox Agent:

Code: Select all

Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
NoScript Version:

Code: Select all

10.1.8.2
NoScript Config:

Code: Select all

{
  "policy": {
    "DEFAULT": {
      "capabilities": [
        "frame",
        "fetch",
        "other",
        "script",
        "media",
        "font"
      ],
      "temp": false
    },
    "TRUSTED": {
      "capabilities": [
        "script",
        "object",
        "media",
        "frame",
        "font",
        "webgl",
        "fetch",
        "other"
      ],
      "temp": false
    },
    "UNTRUSTED": {
      "capabilities": [],
      "temp": false
    },
    "sites": {
      "trusted": [
        "§:addons.mozilla.org",
        "§:afx.ms",
        "§:ajax.aspnetcdn.com",
        "§:ajax.googleapis.com",
        "§:bootstrapcdn.com",
        "§:code.jquery.com",
        "§:firstdata.com",
        "§:firstdata.lv",
        "§:gfx.ms",
        "§:google.com",
        "§:googlevideo.com",
        "§:gstatic.com",
        "§:hotmail.com",
        "§:live.com",
        "§:live.net",
        "§:maps.googleapis.com",
        "§:mozilla.net",
        "§:netflix.com",
        "§:nflxext.com",
        "§:nflximg.com",
        "§:nflxvideo.net",
        "§:noscript.net",
        "§:outlook.com",
        "§:passport.com",
        "§:passport.net",
        "§:passportimages.com",
        "§:paypal.com",
        "§:paypalobjects.com",
        "§:securecode.com",
        "§:securesuite.net",
        "§:sfx.ms",
        "§:tinymce.cachefly.net",
        "§:wlxrs.com",
        "§:yahoo.com",
        "§:yahooapis.com",
        "§:yimg.com",
        "§:youtube.com",
        "§:ytimg.com"
      ],
      "untrusted": [],
      "custom": {}
    },
    "enforced": true,
    "autoAllowTop": false
  },
  "local": {
    "debug": false,
    "showCtxMenuItem": false,
    "showCountBadge": true,
    "showFullAddresses": true,
    "storage": "local",
    "uuid": "f0234288-0dab-41d2-aad7-98850488202d"
  },
  "sync": {
    "global": false,
    "xss": true,
    "clearclick": true,
    "storage": "sync"
  },
  "xssUserChoices": {}
}
Last edited by KonomiKitten on Thu Jul 19, 2018 2:37 pm, edited 1 time in total.
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
skriptimaahinen
Master Bug Buster
Posts: 244
Joined: Wed Jan 10, 2018 7:37 am

Re: Guardian page causes 100% CPU Usage, UI Lockup

Post by skriptimaahinen »

Can confirm the spike in cpu and ram usage (can cause whole OS to hang for a while) and crashing of Firefox.

The culprit appears to be script from connect.facebook.net, so avoid allowing that domain until fix is found.

For the facebook.net to appear in the popup, you need to enable:

theguardian.com
guim.co.uk
krxd.net
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
skriptimaahinen
Master Bug Buster
Posts: 244
Joined: Wed Jan 10, 2018 7:37 am

Re: Guardian page causes 100% CPU Usage, UI Lockup

Post by skriptimaahinen »

Update:

Turns out the problem is in the XSS filter. So if you absolutely need to be tracked by Facebook, you could disable XSS in the Options and then allow facebook.net. ;)

@Giorgio:

If you have not yet checked on this: The problematic call is to https://www.facebook.com/tr/, which returns with somewhat largish payload (requestBody.formData.cd[OpenGraph]: about 80k chars), that XSS.InjectionChecker.reduceJSON promptly chokes on. I'll let you figure this out. :)
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Guardian page causes 100% CPU Usage, UI Lockup

Post by Giorgio Maone »

skriptimaahinen wrote:Update:

Turns out the problem is in the XSS filter. So if you absolutely need to be tracked by Facebook, you could disable XSS in the Options and then allow facebook.net. ;)

@Giorgio:

If you have not yet checked on this: The problematic call is to https://www.facebook.com/tr/, which returns with somewhat largish payload (requestBody.formData.cd[OpenGraph]: about 80k chars), that XSS.InjectionChecker.reduceJSON promptly chokes on. I'll let you figure this out. :)
Thank you, looking into it.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
KonomiKitten
Posts: 11
Joined: Mon Mar 19, 2018 6:30 am

Re: Guardian page causes 100% CPU Usage, UI Lockup

Post by KonomiKitten »

Sorry to be bothering, but is there any progress on this bug?
Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Guardian page causes 100% CPU Usage, UI Lockup

Post by Thrawn »

If you need a workaround while waiting, you could block it with ABE:

Code: Select all

Site .facebook.com .facebook.net
Deny from .theguardian.com
This should prevent the XSS filter from choking, but will also kill off the Facebook Connect functionality (on that one site), if that matters to you.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/66.0.3359.181 Chrome/66.0.3359.181 Safari/537.36
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Guardian page causes 100% CPU Usage, UI Lockup

Post by therube »

NoScript 10 doesn't do ABE (that I see).

NoScript 5, sure.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.4
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Guardian page causes 100% CPU Usage, UI Lockup

Post by Giorgio Maone »

Fixed in latest development build (backported to "Classic" 5.1.8.7rc3, too):
v 10.1.8.3rc11
=============================================================
x [XSS] Fixed InjectionChecker choking at some big JSON
payloads sents as POST form data
x Fixed meta-refresh emulation confused by quoted URLs
x Fixed regression - popup first row not showing the active
preset initially
x [ESR60] Fixed some edge cases still breaking feeds
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
KonomiKitten
Posts: 11
Joined: Mon Mar 19, 2018 6:30 am

Re: Guardian page causes 100% CPU Usage, UI Lockup

Post by KonomiKitten »

Fixed thank you!
Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Post Reply