Credit Card Approval

[Holmemoss]

Thank you for your informative response. I have the following 'Add-ons' installed :

Adblock Plus
BetterPrivacy
British English Dictionary (of course!)
Flagfox
Ghostery
NoScript
Quick Proxy
Torbutton

I understand your point that the problem may well be caused by add-ons other than NoScript. However, I have had the same add-ons installed for a long time and did not experience the problem until a recent new version of NoScript.

[GµårÐïåñ]

Thank you for your informative response.

You are welcome, we do the best we can to try.

I have the following 'Add-ons' installed :

Adblock Plus
BetterPrivacy
British English Dictionary (of course!)
Flagfox
Ghostery
NoScript
Quick Proxy
Torbutton

Well you have several of the offenders in there for sure, ABP, BP, Ghostery and even possibly both your Proxy tools. Those proxy tools could result in malformed headers or even altogether redirection jacking all on their own, Giorgio can speak to that more specifically knowing the blood and guts of the operation.

I understand your point that the problem may well be caused by add-ons other than NoScript. However, I have had the same add-ons installed for a long time and did not experience the problem until a recent new version of NoScript.

Well I know for a fact that several of those, including Ghostery, has had a recent or reasonably recent updates to them and although may seem benign at first, it can and often does modify enough to potentially cause a problem that was not previously there. But I can certainly understand where you are coming from and it often seems that way but not always the case. To be most certain, I think we should wait to see if given all the information we have and all the conjecture, what Giorgio thinks and if there is any merit to any of it. Just be patient, he is a busy man and running on little to no sleep often, so it might take a day or so to respond, although knowing him, he will be answering it before I have a chance to finish this or soon after

[Guest]

This issue still shows up in 2.6.9.3 in case of 3dsecure verified by visa
The merchant site usually sends payment/card details to the 3dsecure page which depending on the payment processor could be of any bank site that they have agreement with. So first the redirect to the Verified By Visa Page is blocked. After I allow that and enter my code, I click on Ok/Submit button, Again the passing of the 3dsecure PIN to the bank to authenticate the purchase is blocked and a brief message about XSS being blocked appears. The page on the merchant site returns a 405 Method not supported error. At the time, I was more worried about losing my money than checking the Error Console.

For the next time, could you please suggest, any Anti-XSS filter exceptions or some way to disable xss alone for a brief period, not even for the entire browser session.

Only other way, I see is to just browse that merchant site for just paying for the order and browse nothing else.

[barbaz]

the passing of the 3dsecure PIN to the bank to authenticate the purchase is blocked and a brief message about XSS being blocked appears. The page on the merchant site returns a 405 Method not supported error. At the time, I was more worried about losing my money than checking the Error Console.

For the next time, could you please suggest, any Anti-XSS filter exceptions or some way to disable xss alone for a brief period, not even for the entire browser session.

Only other way, I see is to just browse that merchant site for just paying for the order and browse nothing else.

Can't suggest any XSS exceptions without seeing the XSS console message(s) from NoScript, sorry.

NOT RECOMMENDED because this is exactly when you most need the XSS filter, but you can disable it @ noscript options > advanced > xss > un-check "Turn cross site POST requests into data-less GET requests" (judging from the your description, that's likely the part of the XSS filter you're running into)
If you do disable it, suggest you don't open any other pages (or have any other pages open) in that browser session until you're done with the sensitive transaction.

[Guest]

@barbaz Thank you for taking the time to respond. I did open the console much later, but then there were no NoScript messages in the console. Cannot remember if it was a new browser session, but mostly I don't close my browser very often.

I did think that disabling the option that you mentioned in XSS options page might help. However something else that blocks the payment flow is redirects getting blocked and instead I get a button on a blank page with the target url written on the button. Possibly, when I click on the button it does not pass on the info that it might have if allowed to redirect by itself. Is there any temporary step I can take or site specific setting I can configure to just let redirects happen on that tab?

As of now, I'm preparing for the next time...which comes usually quite often.

I have tried giving noscript a go on and off, and the current version is so so so very much easier on breaking of sites part. Or perhaps the web has improved.

Thank you for keeping on developing and improving noscript

[barbaz]

@barbaz Thank you for taking the time to respond. I did open the console much later, but then there were no NoScript messages in the console. Cannot remember if it was a new browser session, but mostly I don't close my browser very often.

Most likely the console messages just got pushed out due to excessive CSS warnings.

I did think that disabling the option that you mentioned in XSS options page might help. However something else that blocks the payment flow is redirects getting blocked and instead I get a button on a blank page with the target url written on the button. Possibly, when I click on the button it does not pass on the info that it might have if allowed to redirect by itself. Is there any temporary step I can take or site specific setting I can configure to just let redirects happen on that tab?

NoScript does not block "redirects" from Allowed sites on the active tab (except incidentally)..
I suppose that could be the result of some intermediate site being default-script-blocked, so maybe try "Allow Scripts Globally (dangerous)"?
(Again, probably not smart to open other sites in that browser session if you do that.)

Or perhaps the web has improved.

haha yeah right

Thank you for keeping on developing and improving noscript

I'm not a dev - only Giorgio is.