InformAction Forums

Martyn wrote:Hi All,

Just wanted to register that I'm also getting this same problem, have been for a few weeks now.

I normally see it on the account overview page (https://secure.lloydsbank.co.uk/persona ... _personal/), the page loads and display fine, then it locks for around 25 seconds, starts running again for a split second and then locks for another 25 seconds.

Then I receive two "save file" dialogs with the filename and file type corrupted with JavaScript code.

Filename:

Code: Select all

javascript__(function(){function i(){if(typeof XMLHttpRequest!='undefined'){return new XMLHttpRequest()}try{return new ActiveXObject(_Msxml2.XMLHTTP_)}catch(e){try{return new ActiveXObject(_Microsoft.XMLHTTP_)}catch(e){}}}function j(a){if(typeof(a)==_string_)

After that the page is fine until I reload it.

I'm happy to run any tests if need be.

Regards,
Martyn.

Hi Martyn

I been working with all *lloydsbank.co.uk domains forbidden to get around this problem, having tried many permutations in NoScript.
Whilst this works fine, pages didn't always display as intended.

Following your post, I then tried adding ONLY secure.lloydsbank.co.uk to the whitelist, and now I've got normal loading times & the correct page layout, as far as I can tell from all the sub pages I visited.

Thanks for the clue.

Brian

I found this forum because I am having almost the exact same problems with the Natwest on-line banking site - page hangs and eventually a message box pops up prompting me to save or cancel a javascript file. If I select cancel the site works until the next page refresh when the process starts over.

Talk on the Natwest community forum about this seems to point the finger at NoScript but as of yet there has been no definitive answer from Natwest other than not to use NoScript. I have been using Natwest on-line banking with Firefox and NoScript for years with no issues, it has only been the past few weeks that this problem has arisen.

I will continue to monitor this thread to see if anyone find a permanent fix.

Thanks,
Ashley

Having the same problem with Santander for the last few weeks so it seems a wide spread problem.

Ashjuk wrote:as of yet there has been no definitive answer from Natwest other than not to use NoScript.

Wow... they are a *bank* and they're recommending to drop way more of your cyber-security than needed to avoid problems resulting from their insecure site design? Has anyone actually pointed them to this forum?
As noted in the linked threads this likely related to the XSS filter objecting to the very bad and very insecure practice of playing with window.name - so if you've no time to troubleshoot, disable the XSS filter (NoScript Options > Advanced > XSS, un-check both boxes) and use a separate browser session to access the site (IOW, restart the browser & don't visit any other site until logging out, re-enabling the XSS filter, clearing cookies & the like for the site, and again restarting the browser). But again, that's just a work-around, better solution is to go with what others have said works with marking sites as Untrusted or blocking the culprit script(s) with ABE and/or surrogate script.

barbaz wrote:...Has anyone actually pointed them to this forum?

Yes. I posted a link to this thread on the Natwest forum yesterday morning and it has been read by one of their support staff, so hopefully between them all a fix will come along soon.

It seems odd that it appears to be restricted to banking sites, I've not experienced a problem with any other site. Meanwhile I am using Chrome with the ScriptSafe add-on to access Natwest On-line banking and that works fine.

Ashjuk wrote:I am using Chrome with the ScriptSafe add-on to access Natwest On-line banking and that works fine.

Well, that's probably because ScriptSafe doesn't have a cross-site scripting filter.

FAO: those banking online with Lloyds Bank and experiencing the hanging problem in Firefox with NoScript (seems to be related to the domain marketing.lloydsbank.co.uk trying to run javascript and/or an ActiveX object).

[Please bear with me. This is the first time I have ever posted to a forum.]

I have found a 'solution' of sorts, which seems to be working for me so far.

CAVEAT. I have no specific technical expertise (other than a simple ability to write or adapt regular expressions). Therefore, I make no claims for this 'solution', in terms of efficacy or security. I leave that for others to comment upon.

All I did was to adapt a regular expression I found in the NoScript FAQs and added the following line to the Anti-XSS Protection Exceptions (on the XSS tab of NoScript's Advanced Options):

[dangerous suggestion deleted by moderator]

And it worked. After months of frustration and hours of lost time, it seems too simple to be true. By creating such an exception, I am, of course, having to assume that banking websites are secure enough not to be vulnerable to XSS attacks. As I say, others may comment on that.

BTW, I also removed the older lloydstsb.co.uk from my whitelist, which for me has been superceded by lloydsbank.co.uk - which no doubt has no bearing on the present problem, but at least is a bit tidier.

Hoping this post helps, and happy to be contradicted and/or for any naivety on my part to be ruthlesly exposed.

Simon

@SimonC: That is NOT safe, you are allowing *all* sites to XSS your bank!
Please try instead an XSS exception for origin of request instead - that is, match "@" plus the URL per the sticky viewtopic.php?f=7&t=17774

In your case you would (at minimum) change the leading '^' to '^@'

This would instead allow your bank to XSS all sites.


Once you get an origin exception working, please post it here or edit in your above post. Thanks

Does the following not work for other Lloyds Bank customers using NoScript?

Allow: secure.lloydsbank.co.uk (i.e. added to whitelist)
Remove all other entries containing lloydsbank.co.uk from whitelist.

I've been using this arrangement for a few days now, loads normally, and without any apparent side effects.

I just saw this on the #dev page:

https://noscript.net/getit#devel wrote:v 2.6.9.39rc1
=============================================================
x Work-around for a XSS "false positive" caused by nwolb.com
passing Javascript code across subdomains in window.name
(thanks Sagiv MAsvari for reporting)

Does the bank site(s) work fine just with 2.6.9.39rc1, or are the mentioned work-around(s) still needed?

With BoA, the work-around is no longer needed when using NoScript 2.6.9.39rc1.
(Though I'm thinking I might just keep it, the work-around, anyhow.)

...and on other banks for me.
Solution for me seems to be remove banks (all their pages) from whitelist.
= makes sense since I assume the problem script will be blocked and no attempt made to load it.

PS I had assumed the maybe this was all a red herring, and maybe the real culprit was Trusteer's Rapport which I had running.
Disabling this did not fix the problem, so I will re-enable Rapport.
Stephen

I have the same problem with Bank of Scotland web site. There seems to be a Javascript Join function that hangs Firefox and comes up with the 2 error message boxes. I also have Marketing.[bank domain] as the join it is trying to do. Hitting the cancel button on the error messages frees up the site for browsing but every time there is a return to the home page, the hang re-occurs. Oddly, this does not affect the business internet banking page.
Bank of Scotland online help have stated it is not their problem

I have the same problem with the Halifax bank (also owned by Lloyds).

I can provoke the problem by:
1) disable all Firefox extensions - verify it's OK
2) enable NoScript, even with "Allow All Scripts" - and it loops.

Not good.

Hanging is also occurring on Co-operative Bank personal online banking site: I've isolated that the addon causing it is NoScript and in my case it only started happening two days ago on the last update: verison 2.6.9.38 (12 Oct 2015). Prior to this I had no problems.

Running Windows 10 Home. Firefox 41.0.1.

When accessing above link, Firefox hangs for up to 15 seconds. Sometimes (randomly) it will ask to save a .js file. Most attempts will cause the banking site to go to its error (logout) page which claims that browser buttons or a refresh were used (when they were not).

This bug occurs whether Trusteer Rapport is installed or not.