Amazon Assistant and NoScript

Ask for help about NoScript, no registration needed to post
Khala-Oakeage

Amazon Assistant and NoScript

Post by Khala-Oakeage »

Hi, complete newbie here though I have had NoScript for a little while I don't understand much of it.

I can't seem to get my Amazon Assistant add on for firefox working with NoScript, it will open but nothing will load and it will eventually say "Still no luck, try to close and reset again".

I found an old post here https://forums.informaction.com/viewtop ... =7&t=21674 but I'm not sure if it's too old to fix the problem anymore as I've added the domains listed to whitelist but I can't find the "Enable "Cascade top document's permissions to 3rd party scripts" in NoScript Options>Advanced(tab)>Trusted(tab)."

If I disable NoScript the assistant works fine.

I have NoScript version 10.1.7.5, Firefox Quantum 59.0.2 and Amazon Assistant 10.1711.15.1405

Any help would be appreciated, thanks
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Amazon Assistant and NoScript

Post by therube »

What is "Amazon Assistant" addon?

What domains have you allowed in FF?

As a test, create a new, clean Profile & install only NoScript & AA.
What happens with that?
What happens with that & if you Allow Globally in NoScript?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 SeaMonkey/2.49.2
KhalaOakeage

Re: Amazon Assistant and NoScript

Post by KhalaOakeage »

I use Amazon Assistant to add items from other shopping websites to my amazon wish list, you can also use it to compare prices.

Created a new clean profile for firefox > installed amazon assistant > working as it should be
> installed NoScript > amazon assistant no longer loading
> temporarily allowed all on page > amazon assistant still not loading
> selected no permissions enforcement (in options) > amazon assistant working fine

Whatever is being blocked does not show up on the NoScript list for the current page.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Amazon Assistant and NoScript

Post by barbaz »

KhalaOakeage wrote: > temporarily allowed all on page > amazon assistant still not loading
Were there still blocked scripts when you did this?

"Temporarily allow all this page" doesn't mean what it says. It means "temporarily allow all sites in this list that aren't marked Untrusted". See the sticky for more info.
*Always* check the changelogs BEFORE updating that important software!
-
KhalaOakeage

Re: Amazon Assistant and NoScript

Post by KhalaOakeage »

I clicked "temporarily allow all" until there was nothing blocked in the list, anything else that was blocked was not showing in that list
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
guest

Re: Amazon Assistant and NoScript

Post by guest »

Check if third-party cookies are "Always" accepted in Firefox options, if set to "Never" or "From visited" the Amazon Assistant doesn't work. (Perhaps it's best to set up/use a specific firefox profile for shopping only)

Then add these to NoScript's trusted sites:
ssl-images-amazon.com
s3.amazonaws.com

1. Copy the first site into NoScript's textbox "Search or add a web site:"
2. Click the plus sign to add it to trusted sites
3. Afterwards click the red lock icon to change http to https.
4. Repeat the instructions for the second site.

When changing the language (country) in Amazon's Assistant, you might to need trust 1,2 or more new sites in NS, or temporarily trust them for the time being or customize the allowance settings for these site(s).
You can check these sites in NoScript's popup window but if they don't appear you can use a "logger" to detect them.(Umatrix and ublock origin have this feature)

For example "amazonaws.com.cn" didn't show up in NS but it has to be permanently/temporarily Trusted in order for the Chinese amazon shopping assistant to function.

There's some trial and error involved.

Tested:
Amazon Assistant version 10.1804.4.1302
Firefox version 59.0.2 (64 bit)
Noscript version 10.1.7.5
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
KhalaOakeage

Re: Amazon Assistant and NoScript

Post by KhalaOakeage »

Thank you! Very helpful instructions and they've worked.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
KhalaOakeage

Re: Amazon Assistant and NoScript

Post by KhalaOakeage »

I'm having issues with this again, was working perfectly up until now.
I can open Amazon Assistant but the Wish List part of it will not load unless I disable restrictions globally on No Script.
I've looked at the UBlock logger to add the sites to the permissions list and added everything amazon related but it still won't let the wish list load.

I do see in the Ublock logger that it also lists https://noscript-csp.invalid/__NoScript_Probe__/ which in the static filtering box shows: ||noscript-csp.invalid/__NoScript_Probe__/*$csp_report,domain=horizonte.browserapps.amazon.co.uk
but I have no idea what this means and horizonte.browserapps.amazon.co.uk is in my permissions list.

Any help appreciated since the wish list part of it is why I use it, thanks
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
guest

Re: Amazon Assistant and NoScript

Post by guest »

Hi, noscript's probably not the culprit. You mentioned Ublock.

Ublock requires no specific settings regarding the assistant.
------
Judging from your post, you are shopping on amazon.co.uk?
Check if these domains have been whitelisted in Noscript:
amazon.co.uk
ssl-images-amazon.com
s3.amazonaws.com
If these exist, the assistant's window for the UK location loads and opens normally.
-----
Do you have Umatrix installed, especially the versions from 1.3.8 to 1.3.16?
If so, something might be blocking the assistant. Try adding a new rule, instructions below.

1. Click the Umatrix button to open its dashboard.
2. Click Tab "My rules"
3. On the right side, where it shows "Temporary Rules", place the cursor at the end of the last line.
4. Press Enter to add a new line.
5. Copy and paste this rule to that line.

Code: Select all

amazon.co.uk * script allow
6. Click the Save Button.
7. Click the Commit button to change the temporary rule to a permanent rule.
8. Exit the browser then start the browser and check if AA is working.

When using other Amazon locations add a new rule to Umatrix to allow scripts from the appropriate domain.
For example Amazon USA requires: amazon.com * script allow
Amazon Germany requires: amazon.de * script allow
Amazon Spain requires: amazon.es * allow and so forth...

Don't know why it has changed, previously (in Umatrix v 1.3.6) it worked fine without it, so perhaps it's version related.

Tested
Amazon Assistant version 10.1805.2.1019
Firefox version 64.0 (64 bit)
Noscript version 10.2.1
Umatrix version 1.3.16
Ublock version 1.17.4
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
KhalaOakeage

Re: Amazon Assistant and NoScript

Post by KhalaOakeage »

Thanks for replying.
You say noscript is probably not the culprit but when I disable it amazon assistant works fine, I have Ublock disabled and was only enabling it to use it for the logger.

I have all those domains already whitelisted in noscript plus extras.

I don't have Umatrix.
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
guest

Re: Amazon Assistant and NoScript

Post by guest »

My mistake completely, I made the wrong assumptions AND forgot to look at the Wish list feature...

The assistant's Wish list is working with Noscript 10.2.0 if this domain has been whitelisted: d22r6og5gp6fgc.cloudfront.net

However, this stops working in noscript 10.2.1.
Perhaps revert back to Noscript 10.2.0 temporarily or temporarily Disable restrictions globally when using the assistant as you have already done.

Whitelisting these domains in Noscript didn't fix the issue (they showed up in ublock's logger (or firefox' browser console):
bit-wishlist-uk-prod.s3-eu-west-1.amazonaws.com
titan.service.amazonbrowserapp.co.uk
m.media-amazon.com
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
KhalaOakeage

Re: Amazon Assistant and NoScript

Post by KhalaOakeage »

Thank you for the help. Shame there is no fix for it but I guess I'll just continue temporarily disabling restrictions globally.
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
guest

Re: Amazon Assistant and NoScript

Post by guest »

Hopefully the developer and support team can help solving this.

Noscript 10.2.1, more specifically RequestQuard.js (17.8 KB) is preventing Amazon's Wish list feature from opening.

Tested it in Firefox by using the Load Temporary Add-on feature.
Copied RequestQuard.js (17.2 KB) from noscript version 10.2.0 to noscript_security_suite-10.2.1-fx\bg\Requestquard.js
After the file had been copied, the Assistant's Wish list opened again. These domains already had been whitelisted in Noscript:

Canada + USA: amazon.ca, amazon.com, d2sy71lka14dqw.cloudfront.net
Europe + India: amazon.de, amazon.co.uk, amazon.es, amazon.fr, amazon.it, amazon.in, d22r6og5gp6fgc.cloudfront.net
Japan: amazon.co.jp, d1oyjnop5htyha.cloudfront.net
China: amazon.cn, s3.cn-north-1.amazonaws.com.cn
All the above locations require: s3.amazonaws.com, ssl-images-amazon.com

Below the lines of code from RequestQuard.js Noscript 10.2.0 and Noscript 10.2.1

RequestQuard.js - Noscript 10.2.0
Between lines 311-325

Code: Select all

pending.headersProcessed = true;
      let {url, documentUrl, statusCode, tabId, responseHeaders, type} = request;
      let isMainFrame = type === "main_frame";
      try {
        let capabilities;
        if (ns.isEnforced(tabId)) {
          let policy = ns.policy;
          let perms = policy.get(url, documentUrl).perms;
          if (policy.autoAllowTop && isMainFrame && perms === policy.DEFAULT) {
            policy.set(Sites.optimalKey(url), perms = policy.TRUSTED.tempTwin);
            await ChildPolicies.update(policy);
          }
          capabilities = perms.capabilities;
RequestQuard.js - Noscript 10.2.1
Between lines 311 -340

Code: Select all

  pending.headersProcessed = true;
      let {url, documentUrl, frameAncestors, statusCode, tabId,
          responseHeaders, type} = request;
      let isMainFrame = type === "main_frame";
      try {
        let capabilities;
        if (ns.isEnforced(tabId)) {
          let policy = ns.policy;
          let perms = policy.get(url, documentUrl).perms;
          if (isMainFrame) {
            if (policy.autoAllowTop && perms === policy.DEFAULT) {
              policy.set(Sites.optimalKey(url), perms = policy.TRUSTED.tempTwin);
              await ChildPolicies.update(policy);
            }
            capabilities = perms.capabilities;
          } else {
            capabilities = perms.capabilities;
            if (frameAncestors.length > 0) {
              // cascade top document's restrictions to subframes
              let topUrl = frameAncestors.pop().url;
              let topPerms = policy.get(topUrl, topUrl).perms;
              if (topPerms !== perms) {
                let topCaps = topPerms.capabilities;
                // intersect capabilities
                capabilities = new Set([...capabilities].filter(c => topCaps.has(c)));
              }
            }
          }
With RequestQuard.js from Noscript 10.2.1, the browser console shows a lot of Warnings (Cross-Origin Request Blocked messages) and several errors about Content Security Policy:"The page's settings blocked the loading of a resource at inline ("script-src").
XHR and Request status codes (POST and GET) are Ok.

@developer and support team:
Would it be possible to change RequestQuard.js in such a way that the assistant's Wish List feature is allowed to open/load again instead of disabling restrictions globally?

Best Regards!
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Post Reply