Page 2 of 2
Re: A script on this page may be busy... Script: chrome://noscri
Posted: Wed Oct 14, 2009 8:24 pm
by theqwert
Hrm, didn't think to kill XSS, which definitely does fix the issue (that is unchecking 'Sanitize cross-site suspicious requests'), but the exception you posted doesn't quite do the trick.
With the exception in place but XSS enabled I errored out with the following:
Code: Select all
[NoScript DOS] Aborted potential DOS attempt: {GET http://ig.gmodules.com/gadgets/ifr?view=home&url=http://www.google.com/ig/modules/feeds_tabs.xml&nocache=0&up_title=RSS&up_tabFontSize=0.7em&up_showFeedDesc=1&up_feed1=http://groups.google.com/group/Google-Gadgets-API/feed/atom_v1_0_topics.xml&up_feedTitle1=Gadgets+API&up_feed2=http://code.google.com/feeds/updates.xml&up_feedTitle2=Google+Code&up_feed3=http://myeve.eve-online.com/feed/rdfdevblog.asp&up_feedTitle3=EVE&up_feed4=http://www.eve-online.com/feed/chronicles.xml&up_feedTitle4=EVE+Chron&up_entries=3&up_summaries=-1&up_renderHtml=1&up_showTimestamp=1&up_selectedTab=0&lang=en&country=us&.lang=en&.country=us&synd=ig&mid=96&ifpctok=-6746581423071616306&exp_split_js=1&exp_track_js=1&exp_new_js_flags=1&exp_ids=17259,17315,300667,300701&parent=http://www.google.com&refresh=3600&libs=core:core.io:core.iglegacy&extern_js=/extern_js/f/CgJlbhICdXMrMNIBOAEsKzDYATgBLCsw2gE4ACwrMNsBOAEs/fWzgRbX4nIM.js&is_signedin=1 <<< http://www.google.com/ig, http://www.google.com/ig}
(function () {return this.filterXSS(abeReq);})
Re: A script on this page may be busy... Script: chrome://noscri
Posted: Wed Oct 14, 2009 8:46 pm
by Giorgio Maone
Sorry, my fault.
The correct exception pattern should be:
Code: Select all
^@https?://www\.google\.com/ig(?:/|$)
Re: A script on this page may be busy... Script: chrome://noscri
Posted: Wed Oct 14, 2009 9:28 pm
by travelgirl
the issue is easy and consistent. it's simply a complete failure of iGoogle's gadgets (ebirds (notable-birds) and gocomics) to render. google says the problem isn't on their end, so i'm asking the only other program possible (noscript)... as for the [NoScript *]s and ABEs:
[NoScript HTTPS] Secure cookie set by
http://www.google.com: AnalyticsUserLocale=en-US; domain=
www.google.com; path=/analytics/; Secure
[NoScript HTTPS] Secure cookie set by oascentral.consumerreports.org: NSC_dfo12defm_qppm_ttm=ffffffff0941128045525d5f4f58455e445a4a423660; domain=oascentral.consumerreports.org; path=/; Secure
[ABE] <LOCAL> Deny on {GET
http://rmedia.boston.com/RealMedia/ads/ ... ion_folder <<<
http://www.boston.com/bigpicture/2009/1 ... _cham.html,
http://www.boston.com/bigpicture/2009/1 ... _cham.html}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
is typical. nothing to do with the iGoogle gadgets. screen shots available at
http://picasaweb.google.com/travelgirl.fics/IGoogle# ... all of the previous errors have something to do with the gadgets that are failing. so far as i can see, no messages deal with those gadgets.
oh, and i've changed the XSS Exception to the one just listed. No change in behaviour...
Re: A script on this page may be busy... Script: chrome://noscri
Posted: Wed Oct 14, 2009 9:57 pm
by Giorgio Maone
@
travelgirl:
according to your screenshots you're still using 1.9.9.07.
Could you actually upgrade to 1.9.9.11, clear your cache, restart your browser and retry?
Yes, the warning you showed in your previous post are related to IG, but they're unrelated to NoScript.
They just show some IG code is missing / broken.
BTW, I installed both your gadgets in my IG
profile and still cannot reproduce
Re: A script on this page may be busy... Script: chrome://noscri
Posted: Wed Oct 14, 2009 10:25 pm
by GµårÐïåñ
Agreed that these are google errors and if they are telling you its not their problem, they are just giving you a run around. I have installed many in the past and even more recently with another blank profile to reproduce your problem and I cannot. I have never had this issue and Giorgio can't reproduce it either and we are all using the same version and trying to replicate your environment as best as we can.
Can you give us the list of your extensions installed or try with a profile that has ONLY NoScript and see if the problem persists. This seems to be an issue possibly caused by a Google extension, such as CustomizeGoogle, GoogleEnhance, etc, etc. We will do what we can to help but at some point it has to be an issue related to our product before we can do something, otherwise all we can do is give you the best advice we can and not much more.
Re: A script on this page may be busy... Script: chrome://noscri
Posted: Wed Oct 14, 2009 11:07 pm
by travelgirl
the screenshots were taken last night. i installed .11 this morning, cleared cache, rebooted (required, as i had also installed tons of microsoft updates)... the screen shots are accurate as to problem; only the version is different. the screen shots also detail all of the extensions/add-ons that are installed (and not)...
am disabling ghostery (the only other add-on with a possibility of interference)... will report in two minutes (restarting firefox)...
two minutes later:
goodness. would you look at that? both gadgets are functional. ghostery says it is only attempting blockage of analytics, yet obviously there is some other symbiosis/parasitism occurring as well...
well, much as ghostery is a good program with potential, i prefer noscript and igoogle by lots.
will keep you informed if things revert unexpectedly. thanks to both of you for your help...
Re: A script on this page may be busy... Script: chrome://noscri
Posted: Thu Oct 15, 2009 12:28 am
by GµårÐïåñ
1. Actually your screenshot does NOT give the whole list of extensions, just the few on the top. Extensions are not plugins which you have provided a full screenshot. To do this properly, you can try Extension List Dumper or InfoLister or whatever else you prefer. Unless the extensions visible, ending with TMP are the only thing you have installed, in which case I strongly urge you to try the second step below.
2. Have you tried this with a blank profile using ONLY NoScript? This would mean simply starting your browser using the command line option
-profilemanager so it would be something like
"C:\Program Files\Mozilla Firefox\firefox.exe" -profilemanager and you can create a fresh profile without losing your other one and just simply install the latest NoScript version, restart and try the site and see if the problem persists.
3. Alternatively, you can at least disable Ghostery's blocking feature during this testing because it has been known to have problems. I shared
this with the developer over 2 months ago and he has done nothing, so its not unusual for it to cause problems and have zero support. I didn't see Adblock Plus on your extension list but if you have it, check the list of blockable elements to see that it is not blocking some script that is needed and causing the problem.
If you can try these options and provide us feedback we can better help you, otherwise, we are all spinning our wheels wasting time and no one benefits since we obviously can't reproduce the problem no matter how much we have tried.
Re: A script on this page may be busy... Script: chrome://noscri
Posted: Mon Oct 19, 2009 7:27 pm
by reid
Hi. I, too, have been seeing this dialog on my igoogle page. In my case, adding this XSS exception seems to have fixed it:
^https?:.*gmodules.com/
Not sure if that's an ideal regexp there, or why it was necessary exactly.
It seemed like it was related to this gadget:
http://www.google.com/ig/directory?url= ... -radar.xml
Thanks,
reid
Re: A script on this page may be busy... Script: chrome://noscri
Posted: Mon Oct 19, 2009 7:45 pm
by Giorgio Maone
reid wrote:Hi. I, too, have been seeing this dialog on my igoogle page. In my case, adding this XSS exception seems to have fixed it:
^https?:.*gmodules.com/
Not sure if that's an ideal regexp there, or why it was necessary exactly.
This one is equivalent (disables XSS checks for requests towards gmodules.com subdomains) but more specific (yours could match completely unrelated URLs, e.g.
https://
www.somesite.com/somepath/?dummy=[b]gmodules.com/[/b]):
Code: Select all
^https?://([^/]+\.)?gmodules\.com/
Re: A script on this page may be busy... Script: chrome://noscri
Posted: Mon Oct 19, 2009 8:16 pm
by reid
That looks much better, thanks!
Would it be possible to add an option to add an exception to the yellow bar that reports an XSS problem? Maybe for either the specific URL or the toplevel domain? That'd be convenient, especially for someone who's not familiar with regexps. Especially if this kind of thing isn't uncommon.
reid
Re: A script on this page may be busy... Script: chrome://noscri
Posted: Wed Oct 28, 2009 9:24 pm
by wwvierg
Giorgio Maone wrote:None of these warnings are related to NoScript's XSS filters.
You can filter the relevant lines by clicking on the "Messages" button (blue icon) in Tools|Error Console: I'm after those lines starting with [NoScript XSS].
i, too, have been getting the hung script for weeks now - always on one of my igoogle pages (i.e., home, news, business, sports, technology, etc.)
saw this in the messages:
[NoScript XSS] Sanitized suspicious request. Original URL [
http://ig.gmodules.com/gadgets/ifr?view ... signedin=1] requested from [
http://www.google.com/ig?t=7]. Sanitized URL: [
http://ig.gmodules.com/gadgets/ifr?view ... 6269618196].
am running FF 3.5.3 and NoScript 1.9.9.11
wow!!!! ... something just hung again -for over 10 seconds- as i'm writing this; now see these two new messages:
Security Error: Content at
http://googleads.g.doubleclick.net/ may not load data from
http://ig.gmodules.com/gadgets/ifr?view ... signedin=1.
[NoScript XSS] Sanitized suspicious request. Original URL [
http://1nltui3li1cdki8kde21baj1igs7ekjc ... s_social=1] requested from [
http://www.google.com/#]. Sanitized URL: [
http://1nltui3li1cdki8kde21baj1igs7ekjc ... 2939503368].
Re: A script on this page may be busy... Script: chrome://noscri
Posted: Thu Oct 29, 2009 12:09 am
by GµårÐïåñ
Please try it with
NoScript latest development build and see if that resolves the issue. Many things were addressed leading to the latest .14 release, we hope that it will fix your problem. Try that and get back to us if it still persists or whether it fixed your problem. Thank you.
Re: A script on this page may be busy... Script: chrome://noscri
Posted: Fri Nov 20, 2009 3:42 pm
by theqwert
After a crazy two weeks on my end, sad to report that this issue is still not fixed, just errored out again.
Code: Select all
[NoScript DOS] Aborted potential DOS attempt: {GET http://8g3rfsai4nr2fdeondufecjdo7qlrh4r.ig.ig.gmodules.com/gadgets/ifr?view=home&url=http://hosting.gmodules.com/ig/gadgets/file/116754416080903249690/farkfeeds.xml&nocache=0&up_tabFontSize=0.7em&up_showFeedDesc=0&up_showTimestamp=0&up_showSourceArticle=0&up_feed1=http://www.fark.com/fark.rss&up_feedTitle1=Not+News&up_feed2=http://www.fark.com/sports/fark.rss&up_feedTitle2=Sports&up_showSportsTab=0&up_feed3=http://www.fark.com/business/fark.rss&up_feedTitle3=Business&up_showBusinessTab=1&up_feed4=http://www.fark.com/geek/fark.rss&up_feedTitle4=Geek&up_showGeekTab=1&up_feed5=http://www.fark.com/showbiz/fark.rss&up_feedTitle5=Showbiz&up_showShowbizTab=1&up_feed6=http://www.fark.com/politics/fark.rss&up_feedTitle6=Politics&up_showPoliticsTab=1&up_feed7=http://www.fark.com/music/fark.rss&up_feedTitle7=Music&up_showMusicTab=0&up_feed8=http://www.fark.com/video/fark.rss&up_feedTitle8=Video&up_showVideoTab=1&up_feed9=http://www.foobies.com/foobies.rss&up_feedTitle9=Foobies&up_showFoobiesTab=0&up_entries=9&up_renderHtml=true&up_selectedTab=2&lang=en&country=us&.lang=en&.country=us&synd=ig&mid=94&ifpctok=-6054912295301392259&exp_split_js=1&exp_track_js=1&exp_new_js_flags=1&exp_ids=17259&parent=http://www.google.com&refresh=3600&libs=core:core.io:core.iglegacy:auth-refresh#st=c%3Dig%26e%3DAPu7icrh5ovV6iMsLiftj07/WJB%252BYF5t3h91NblirYHbQrQm3xctOERz9Q28ApankazgEcpwcNJ%252B/pu5DVULg%252Br5GAVlQu2DwuqoFsrfEu9NEp6vaaBmO0gT4nFB5AH44nYQghtXNFwl&gadgetId=111901928688144469149&gadgetOwner=101413561995882255650&gadgetViewer=101413561995882255650&is_signedin=1&is_social=1 <<< http://www.google.com/ig, http://www.google.com/ig}
(function () {return this.filterXSS(abeReq);})
Re: A script on this page may be busy... Script: chrome://noscri
Posted: Fri Nov 20, 2009 3:52 pm
by Giorgio Maone
@
theqwert
Are you actually using the "fixed" exception I gave you in
this post?
Giorgio Maone wrote:
The correct exception pattern should be:
Code: Select all
^@https?://www\.google\.com/ig(?:/|$)
