SOLVED - Problems using No Script with Bank of America site

[Thrawn]

Well, if it's working for therube...can you compare your whitelist to his?

[lakrsrool]

it seems to have hit everybody using NoScript and BofA.

Wrong.

So are saying that you are not hanging (for 30-40 seconds) when logging into BofA website and your NoScript "Anti-XSS protection" settings are enabled (checked)? (specifically the "Sanitize cross-site suspicious requests" setting is enabled)

[lakrsrool]

Well, if it's working for therube...can you compare your whitelist to his?

My initial post:

I'm allowing all scripts in Noscript for BofA site....

So my whitelist would include all sub-sites related to this BofA starting website so there wouldn't be anything more that therube would have in that whilelist related to this website than I would have in my whitelist it would seem to me.

If therube has absolutely no hang logging into BofA site with the XSS enabled for the top setting then I'm at a loss how this could be as I've disabled all add-ons and it comes down to NoScript with XSS enabled that causes the hang. If I either disable NoScript totally or disable the XSS top setting then I do not have an hang problems. As the top XSS setting is "Sanitize cross-site suspicious requests" it would appear to me this "sensitization" is perhaps taking a bit of time to perform.

As of now, I currently have all sites "allowed" except "demdex.net" which has very poor reputation and I have XSS enabled for the top setting and I'm noticing that for this evening (actually 12:05AM, noticed my post times are an hour earlier than they should be which I don't understand as I'm set to my PST) the hang has been for a shorter duration, more like around 20-30 seconds (slightly less than previously), but then I don't know if this shorter hang time will persist or the hang time will increase tomorrow during business hours when more users will be logging which had been more like 30-40 or more seconds.

In the end I'd prefer to retain some of the security that at least the top setting for XSS gives me as opposed to losing this security on a global scale, so I'm considering putting up with the hang as long as the hang time doesn't increase tomorrow again.

[barbaz]

Perhaps you have something in your whitelist that therube doesn't have?

[lakrsrool]

Perhaps you have something in your whitelist that therube doesn't have?

Well, I'm now getting the infamous "Ooops, something in your posting triggered my antispam filter...Please use the "Back" button to modify your content and retry.' bug again trying to post the info. I'll keep trying, but really this bug needs to be FIXED!!!!

[lakrsrool]

Perhaps you have something in your whitelist that therube doesn't have?

Well, the hang time is back to 40+ seconds again (during business hours).

Question: Wouldn't just whatever sites that are used by the BofA login website be what could cause anything either way as to how the website works?

If so, I've tried all combinations of "allowing" and "forbidding" all sites that NoScript lists as having to do with the website login.

I would also like to know if therube is leaving the SSE settings enabled when logging into the website. I haven't gotten a reply on this. I'll see if I can PM therube to take a look at this.

I'll post my "while list" separately as it's a very long list and is possibly causing the issue.

[lakrsrool]

Perhaps you have something in your whitelist that therube doesn't have?

I'm unable to post my "white list" in the forum so I'll email therube with my whitelist.

[barbaz]

@lakrsrool: or see PM

[lakrsrool]

@lakrsrool: or see PM

I've sent a PM to you with the list (it won't post here). I'm still wondering about whether therube actually does have the SSE settings enabled when logging into the BofA website. I say this because the website works fine with SSE disabled.

Also Ashcan has posted in this topic (page 2) that this same thing happens with this user as well.

I've noticed that the website will load the page fine but there is a little "flash" (for lack of a better term) with the address bar and then the website hangs my computer for ~40 seconds but ONLY if the SSE "Sanitize cross-site suspicious request" setting is enabled, which again makes me wonder if whatever the "sanitize" process is doing is taking time to accomplish and therefore hanging my computer.

[lakrsrool]

(lakrsrool's whitelist as sent to barbaz in PM)

Code: Select all

00fun.com
100searchengines.com
123greetings.com
55places.com
abbreviations.com
about.com
accountonline.com
aclj.org
adblockplus.org
addons.mozilla.org
adobe.com
adventistbookcenter.com
adventistmission.org
adventistworld.org
afx.ms
ajax.googleapis.com
akadns.net
akamai-cdn.com
akamaihd.net
allenbwest.com
allenwestrepublic.com
amac.us
amazingfacts.org
amazon.com
ameritrade.com
amtrak.com
angieslist.com
answcdn.com
answers.com
aolcdn.com
apple.com
arcgisonline.com
arrowheaddelivery.com
arrowheadwater.com
ask.com
aspnetcdn.com
att-mail.com
att.com
att.net
avast.com
avgthreatlabs.com
bac-assets.com
bankofamerica.com
bankrate.com
basketball-reference.com
bazaarvoice.com
bbb.org
bbbmetrics.com
bbystatic.com
beheardproject.com
bestbuy.com
bestvaluechecks.com
bing.com
bitdefender.com
bkrtx.com
bleacherreport.com
bleacherreport.net
bleepingcomputer.com
bloomberg.com
bootstrapcdn.com
borntowin.net
bridgetrack.com
brightcove.com
btstatic.com
buzzfeed.com
calnevarealty.net
calottery.com
capitalone.com
capitalone360.com
capitaloneinvesting.com
care2.com
caremark.com
cbk0.googleapis.com
cbsi.com
cbsistatic.com
cdn-seekingalpha.com
charitynavigator.org
chase.com
chasebonus.com
citi.com
citibank.com
citicards.com
citimortgage.com
city-data.com
clamav.net
cloudflare.com
cms.gov
cnet.com
cnn.com
cnn.net
code.jquery.com
commondatastorage.googleapis.com
conservativebyte.com
conservativetribune.com
constitution.com
coolopticalillusions.com
coupons.com
courier-journal.com
cpnscdn.com
crosscards.com
customsoftwareconsult.com
cvs.com
d12ofxxpqkq4dm.cloudfront.net
d29usylhdk1xyu.cloudfront.net
d2s7ckq4p8lpu.cloudfront.net
d2vxgxvhgubbj8.cloudfront.net
d2wy8f7a9ursnm.cloudfront.net
d3eh00ey7firiu.cloudfront.net
d7e8o9i11vi0c.cloudfront.net
d8t79bbpmmdp0.cloudfront.net
d9jmv9u00p0mv.cloudfront.net
dab0sz59l2q1x.cloudfront.net
dailycaller.com
dailyliked.net
dailymail.co.uk
deluxe.com
delwebb.com
dickmorris.com
dictionary.com
directrelief.org
disconnect.me
discovercard.com
disqus.com
disquscdn.com
distancebetweencities.net
distancefromto.net
distancesbetween.com
distancesfrom.com
dnsstuff.com
do17qa6ql691x.cloudfront.net
dogpile.com
dougbatchelor.com
downforeveryoneorjustme.com
downforme.org
downrightnow.com
draftexpress.com
drugs.com
duckduckgo.com
ebay.com
ebaydesc.com
ebayrtm.com
ebaystatic.com
ebz.io
edn.la
emaildiscussions.com
employeetravelspecials.com
enjoybettercoffee.com
ensighten.com
esumsoft.com
excite.com
expotv.com
facebook.com
facebook.net
fandango.com
fansided.com
fastmail.com
faxbynet.com
fbcdn.net
fdlstatic.com
fedex.com
feedsportal.com
fid-inv.com
fidelity.com
firefox.com
firstbankcard.com
firstdata.com
firstdata.lv
firstnational.com
flashearth.com
flashgot.net
fncstatic.com
fonts.com
force.com
foursquare.com
foxbusiness.com
foxnews.com
freedownload3.com
freenevadamove.com
funcaptcha.co
gannett-cdn.com
getpocket.com
gfx.ms
gigya.com
go.com
google-analytics.com
google.com
googleusercontent.com
googlevideo.com
gravatar.com
greyhound.com
gstatic.com
hallmarkecards.com
healthgrades.com
hint.fm
homefinder.com
homes.com
hoopsstats.com
hotmail.com
hours-locations.com
hoursofoperation.biz
house.gov
huffingtonpost.com
humanewatch.org
iconosquare.com
iegallery.com
iesnare.com
illusion-optical.com
images-amazon.com
imdb.com
indeed.com
informaction.com
inkfrog.com
insidermonkey.com
inspsearch.com
inspsearchapi.com
interest.com
investorplace.com
ireport.com
irs.gov
isitdownrightnow.com
isp.com
iwebtool.com
ixquick.com
java.com
jhannuities.com
jonathanwornardt.com
juno-news.com
juno.com
kiplinger.com
kmart.com
lakersground.net
lakersnation.com
lakersspin.com
latimes.com
licdn.com
linkedin.com
live.com
live.net
liveperson.net
macys.com
mail.com
majorgeeks.com
maone.net
map.org
mapdevelopers.com
mapquest.com
maps-to-directions.com
maps.googleapis.com
mapszipcode.com
marketrealist.com
marketwatch.com
masterlockvault.com
media-imdb.com
media-server.com
medicare.gov
medicinenet.com
merrilledge.com
metlife.com
metrolist.net
michaelmedved.com
microsoft.com
microsofttranslator.com
mixpanel.com
ml.com
moatads.com
money-zine.com
moneytalksnews.com
morningstar.com
mortgagecalculator.org
mortgagefit.com
mountainfaithband.com
mountainmeadowsashland.com
mountainmeadowscommunity.com
move.com
moviefone.com
movies.com
mozilla.net
mozilla.org
mozillazine.org
mqcdn.com
msecnd.net
msn.com
mstar.com
mt0.googleapis.com
mtmeadows.com
mybanktracker.com
mywot.com
mywot.net
nasdaq.com
nba.com
nbcudigitaladops.com
nbcuni.com
nccsda.com
netdna-cdn.com
newser.com
newsmax.com
newyorklife.com
norton.com
noscript.net
nraendorsedinsurance.com
nypost.com
officedepot.com
omtrdc.net
onenote.com
onenote.net
online-tech-tips.com
onlinecreditcenter6.com
opera.com
optimizely.com
ordinationtruth.com
ourbravest.org
outlook.com
pacifictheatres.com
paragonrels.com
parcelstream.com
passport.com
passport.net
passportimages.com
paypal.com
paypalobjects.com
pbsrc.com
peoplefinder.com
peoplefinders.com
peoplesmart.com
persona.org
pfx.ms
photobucket.com
pixfuture.net
plenti.com
pluggedin.com
po.st
podomatic.com
polarisproject.org
popmoney.com
poppeeper.com
postimg.org
powerthesaurus.org
presscdn.com
private-eclub.com
proxyvote.com
pubnub.com
questdiagnostics.com
quora.com
quoracdn.net
ralphs.com
ralphsrewardsoffers.com
rapmls.com
realtor.com
reference.com
regards.com
regexpal.com
rfecom.com
riteaid.com
rollbar.com
ronaldreagan.com
rpxnow.com
rxlist.com
s-microsoft.com
s-msn.com
salesforceliveagent.com
satelliteviews.net
satsig.net
savondrugs.com
sbnation.com
scamadviser.com
schwab.com
schwabcdn.com
sears.com
secondipity.com
securecode.com
securesuite.net
securetve.com
seekingalpha.com
selfstorage.com
semantictec.com
serving-sys.com
sfdict.com
sfx.ms
sharebuilder.com
sharethis.com
sharylattkisson.com
shermanoakshospital.org
shld.net
si.com
sigfig.com
silverscreenandroll.com
smugmug.com
snapengage.com
socialsecurity.gov
sony.com
soundcloud.com
speedtest.net
spokeo.com
ssa.gov
ssl-images-amazon.com
staceyogg55places.com
staples.com
starbucks.com
static-homes.com
static-selfstorage.com
streamable.com
sucuri.net
supportportal.com
suzannemann55places.com
target.com
targetimg1.com
targetimg2.com
tdameritrade.com
tdbank.com
tempemail.net
thankyou.com
thecrux.com
thegrio.com
thehill.com
theinvestornetwork.com
theplatform.com
thestreet.com
thewindowsclub.com
time.com
tinymce.cachefly.net
topbuzz.com
traderjoes.com
travelmath.com
trbas.com
trendmicro.com
tribtv.com
trouter.io
trulia.com
truste.com
tunein.com
turner.com
tvgcdn.net
tvguide.com
twcsportsnet.com
twimg.com
twitter.com
typekit.net
ugdturner.com
ui-portal.de
uicdn.com
unionbank.com
universalcard.com
uolstatic.com
ups-mi.net
ups.com
usatoday.com
usbank.com
usgs.gov
usps.com
uverse.com
valpak.com
vanguard.com
verisign.com
verizon.com
verizonwireless.com
vfemail.net
vgcontent.info
vimeo.com
vimeocdn.com
vine.co
virtualearth.net
virustotal.com
visualwebsiteoptimizer.com
vitals.com
vzw.com
wal.co
wallst.com
walmart.com
walmartimages.com
weaselzippers.us
weather.com
webmd.com
where2getit.com
wikipedia.org
wildtexas.com
wisegeek.com
wistia.com
wistia.net
wlxrs.com
wmtips.com
wp.com
wunderground.com
www.googleapis.com
yahoo.com
yahooapis.com
yandex.st
yelp.com
yelpcdn.com
yimg.com
youtube.com
ytimg.com
zdassets.com
zedo.com
zendesk.com
zillow.com
zillowstatic.com
about:blank
about:newtab
about:pocket-saved
about:pocket-signup
http://00fun.com
http://100searchengines.com
http://123greetings.com
http://55places.com
http://abbreviations.com
http://about.com
http://accountonline.com
http://aclj.org
http://adblockplus.org
http://adobe.com
http://adventistbookcenter.com
http://adventistmission.org
http://adventistworld.org
http://afx.ms
http://akadns.net
http://akamai-cdn.com
http://akamaihd.net
http://allenbwest.com
http://allenwestrepublic.com
http://amac.us
http://amazingfacts.org
http://amazon.com
http://ameritrade.com
http://amtrak.com
http://angieslist.com
http://answcdn.com
http://answers.com
http://aolcdn.com
http://apple.com
http://arcgisonline.com
http://arrowheaddelivery.com
http://arrowheadwater.com
http://ask.com
http://aspnetcdn.com
http://att-mail.com
http://att.com
http://att.net
http://avast.com
http://avgthreatlabs.com
http://bac-assets.com
http://bankofamerica.com
http://bankrate.com
http://basketball-reference.com
http://bazaarvoice.com
http://bbb.org
http://bbbmetrics.com
http://bbystatic.com
http://beheardproject.com
http://bestbuy.com
http://bestvaluechecks.com
http://bing.com
http://bitdefender.com
http://bkrtx.com
http://bleacherreport.com
http://bleacherreport.net
http://bleepingcomputer.com
http://bloomberg.com
http://bootstrapcdn.com
http://borntowin.net
http://bridgetrack.com
http://brightcove.com
http://btstatic.com
http://buzzfeed.com
http://calnevarealty.net
http://calottery.com
http://capitalone.com
http://capitalone360.com
http://capitaloneinvesting.com
http://care2.com
http://caremark.com
http://cbsi.com
http://cbsistatic.com
http://cdn-seekingalpha.com
http://charitynavigator.org
http://chase.com
http://chasebonus.com
http://citi.com
http://citibank.com
http://citicards.com
http://citimortgage.com
http://city-data.com
http://clamav.net
http://cloudflare.com
http://cms.gov
http://cnet.com
http://cnn.com
http://cnn.net
http://conservativebyte.com
http://conservativetribune.com
http://constitution.com
http://coolopticalillusions.com
http://coupons.com
http://courier-journal.com
http://cpnscdn.com
http://crosscards.com
http://customsoftwareconsult.com
http://cvs.com
http://dailycaller.com
http://dailyliked.net
http://deluxe.com
http://delwebb.com
http://dickmorris.com
http://dictionary.com
http://directrelief.org
http://disconnect.me
http://discovercard.com
http://disqus.com
http://disquscdn.com
http://distancebetweencities.net
http://distancefromto.net
http://distancesbetween.com
http://distancesfrom.com
http://dnsstuff.com
http://dogpile.com
http://dougbatchelor.com
http://downforeveryoneorjustme.com
http://downforme.org
http://downrightnow.com
http://draftexpress.com
http://drugs.com
http://duckduckgo.com
http://ebay.com
http://ebaydesc.com
http://ebayrtm.com
http://ebaystatic.com
http://ebz.io
http://edn.la
http://emaildiscussions.com
http://employeetravelspecials.com
http://enjoybettercoffee.com
http://ensighten.com
http://esumsoft.com
http://excite.com
http://expotv.com
http://facebook.com
http://facebook.net
http://fandango.com
http://fansided.com
http://fastmail.com
http://faxbynet.com
http://fbcdn.net
http://fdlstatic.com
http://fedex.com
http://feedsportal.com
http://fid-inv.com
http://fidelity.com
http://firefox.com
http://firstbankcard.com
http://firstdata.com
http://firstdata.lv
http://firstnational.com
http://flashearth.com
http://flashgot.net
http://fncstatic.com
http://fonts.com
http://force.com
http://foursquare.com
http://foxbusiness.com
http://foxnews.com
http://freedownload3.com
http://freenevadamove.com
http://funcaptcha.co
http://gannett-cdn.com
http://getpocket.com
http://gfx.ms
http://gigya.com
http://go.com
http://google-analytics.com
http://google.com
http://googleusercontent.com
http://googlevideo.com
http://gravatar.com
http://greyhound.com
http://gstatic.com
http://hallmarkecards.com
http://healthgrades.com
http://hint.fm
http://homefinder.com
http://homes.com
http://hoopsstats.com
http://hotmail.com
http://hours-locations.com
http://hoursofoperation.biz
http://house.gov
http://huffingtonpost.com
http://humanewatch.org
http://iconosquare.com
http://iegallery.com
http://iesnare.com
http://illusion-optical.com
http://images-amazon.com
http://imdb.com
http://indeed.com
http://informaction.com
http://inkfrog.com
http://insidermonkey.com
http://inspsearch.com
http://inspsearchapi.com
http://interest.com
http://investorplace.com
http://ireport.com
http://irs.gov
http://isitdownrightnow.com
http://isp.com
http://iwebtool.com
http://ixquick.com
http://java.com
http://jhannuities.com
http://jonathanwornardt.com
http://juno-news.com
http://juno.com
http://kiplinger.com
http://kmart.com
http://lakersground.net
http://lakersnation.com
http://lakersspin.com
http://latimes.com
http://licdn.com
http://linkedin.com
http://live.com
http://live.net
http://liveperson.net
http://macys.com
http://mail.com
http://majorgeeks.com
http://maone.net
http://map.org
http://mapdevelopers.com
http://mapquest.com
http://maps-to-directions.com
http://mapszipcode.com
http://marketrealist.com
http://marketwatch.com
http://masterlockvault.com
http://media-imdb.com
http://media-server.com
http://medicare.gov
http://medicinenet.com
http://merrilledge.com
http://metlife.com
http://metrolist.net
http://michaelmedved.com
http://microsoft.com
http://microsofttranslator.com
http://mixpanel.com
http://ml.com
http://moatads.com
http://money-zine.com
http://moneytalksnews.com
http://morningstar.com
http://mortgagecalculator.org
http://mortgagefit.com
http://mountainfaithband.com
http://mountainmeadowsashland.com
http://mountainmeadowscommunity.com
http://move.com
http://moviefone.com
http://movies.com
http://mozilla.net
http://mozilla.org
http://mozillazine.org
http://mqcdn.com
http://msecnd.net
http://msn.com
http://mstar.com
http://mtmeadows.com
http://mybanktracker.com
http://mywot.com
http://mywot.net
http://nasdaq.com
http://nba.com
http://nbcudigitaladops.com
http://nbcuni.com
http://nccsda.com
http://netdna-cdn.com
http://newser.com
http://newsmax.com
http://newyorklife.com
http://norton.com
http://noscript.net
http://nraendorsedinsurance.com
http://nypost.com
http://officedepot.com
http://omtrdc.net
http://onenote.com
http://onenote.net
http://online-tech-tips.com
http://onlinecreditcenter6.com
http://opera.com
http://optimizely.com
http://ordinationtruth.com
http://ourbravest.org
http://outlook.com
http://pacifictheatres.com
http://paragonrels.com
http://parcelstream.com
http://passport.com
http://passport.net
http://passportimages.com
http://paypal.com
http://paypalobjects.com
http://pbsrc.com
http://peoplefinder.com
http://peoplefinders.com
http://peoplesmart.com
http://persona.org
http://pfx.ms
http://photobucket.com
http://pixfuture.net
http://plenti.com
http://pluggedin.com
http://po.st
http://podomatic.com
http://polarisproject.org
http://popmoney.com
http://poppeeper.com
http://postimg.org
http://powerthesaurus.org
http://presscdn.com
http://private-eclub.com
http://proxyvote.com
http://pubnub.com
http://questdiagnostics.com
http://quora.com
http://quoracdn.net
http://ralphs.com
http://ralphsrewardsoffers.com
http://rapmls.com
http://realtor.com
http://reference.com
http://regards.com
http://regexpal.com
http://rfecom.com
http://riteaid.com
http://rollbar.com
http://ronaldreagan.com
http://rpxnow.com
http://rxlist.com
http://s-microsoft.com
http://s-msn.com
http://salesforceliveagent.com
http://satelliteviews.net
http://satsig.net
http://savondrugs.com
http://sbnation.com
http://scamadviser.com
http://schwab.com
http://schwabcdn.com
http://sears.com
http://secondipity.com
http://securecode.com
http://securesuite.net
http://securetve.com
http://seekingalpha.com
http://selfstorage.com
http://semantictec.com
http://serving-sys.com
http://sfdict.com
http://sfx.ms
http://sharebuilder.com
http://sharethis.com
http://sharylattkisson.com
http://shermanoakshospital.org
http://shld.net
http://si.com
http://sigfig.com
http://silverscreenandroll.com
http://smugmug.com
http://snapengage.com
http://socialsecurity.gov
http://sony.com
http://soundcloud.com
http://speedtest.net
http://spokeo.com
http://ssa.gov
http://ssl-images-amazon.com
http://staceyogg55places.com
http://staples.com
http://starbucks.com
http://static-homes.com
http://static-selfstorage.com
http://streamable.com
http://sucuri.net
http://supportportal.com
http://suzannemann55places.com
http://target.com
http://targetimg1.com
http://targetimg2.com
http://tdameritrade.com
http://tdbank.com
http://tempemail.net
http://thankyou.com
http://thecrux.com
http://thegrio.com
http://thehill.com
http://theinvestornetwork.com
http://theplatform.com
http://thestreet.com
http://thewindowsclub.com
http://time.com
http://topbuzz.com
http://traderjoes.com
http://travelmath.com
http://trbas.com
http://trendmicro.com
http://tribtv.com
http://trouter.io
http://trulia.com
http://truste.com
http://tunein.com
http://turner.com
http://tvgcdn.net
http://tvguide.com
http://twcsportsnet.com
http://twimg.com
http://twitter.com
http://typekit.net
http://ugdturner.com
http://ui-portal.de
http://uicdn.com
http://unionbank.com
http://universalcard.com
http://uolstatic.com
http://ups-mi.net
http://ups.com
http://usatoday.com
http://usbank.com
http://usgs.gov
http://usps.com
http://uverse.com
http://valpak.com
http://vanguard.com
http://verisign.com
http://verizon.com
http://verizonwireless.com
http://vfemail.net
http://vgcontent.info
http://vimeo.com
http://vimeocdn.com
http://vine.co
http://virtualearth.net
http://virustotal.com
http://visualwebsiteoptimizer.com
http://vitals.com
http://vzw.com
http://wal.co
http://wallst.com
http://walmart.com
http://walmartimages.com
http://weaselzippers.us
http://weather.com
http://webmd.com
http://where2getit.com
http://wikipedia.org
http://wildtexas.com
http://wisegeek.com
http://wistia.com
http://wistia.net
http://wlxrs.com
http://wmtips.com
http://wp.com
http://wunderground.com
http://yahoo.com
http://yahooapis.com
http://yandex.st
http://yelp.com
http://yelpcdn.com
http://yimg.com
http://youtube.com
http://ytimg.com
http://zdassets.com
http://zedo.com
http://zendesk.com
http://zillow.com
http://zillowstatic.com
https://00fun.com
https://100searchengines.com
https://123greetings.com
https://55places.com
https://abbreviations.com
https://about.com
https://accountonline.com
https://aclj.org
https://adblockplus.org
https://adobe.com
https://adventistbookcenter.com
https://adventistmission.org
https://adventistworld.org
https://afx.ms
https://akadns.net
https://akamai-cdn.com
https://akamaihd.net
https://allenbwest.com
https://allenwestrepublic.com
https://amac.us
https://amazingfacts.org
https://amazon.com
https://ameritrade.com
https://amtrak.com
https://angieslist.com
https://answcdn.com
https://answers.com
https://aolcdn.com
https://apple.com
https://arcgisonline.com
https://arrowheaddelivery.com
https://arrowheadwater.com
https://ask.com
https://aspnetcdn.com
https://att-mail.com
https://att.com
https://att.net
https://avast.com
https://avgthreatlabs.com
https://bac-assets.com
https://bankofamerica.com
https://bankrate.com
https://basketball-reference.com
https://bazaarvoice.com
https://bbb.org
https://bbbmetrics.com
https://bbystatic.com
https://beheardproject.com
https://bestbuy.com
https://bestvaluechecks.com
https://bing.com
https://bitdefender.com
https://bkrtx.com
https://bleacherreport.com
https://bleacherreport.net
https://bleepingcomputer.com
https://bloomberg.com
https://bootstrapcdn.com
https://borntowin.net
https://bridgetrack.com
https://brightcove.com
https://btstatic.com
https://buzzfeed.com
https://calnevarealty.net
https://calottery.com
https://capitalone.com
https://capitalone360.com
https://capitaloneinvesting.com
https://care2.com
https://caremark.com
https://cbsi.com
https://cbsistatic.com
https://cdn-seekingalpha.com
https://charitynavigator.org
https://chase.com
https://chasebonus.com
https://citi.com
https://citibank.com
https://citicards.com
https://citimortgage.com
https://city-data.com
https://clamav.net
https://cloudflare.com
https://cms.gov
https://cnet.com
https://cnn.com
https://cnn.net
https://conservativebyte.com
https://conservativetribune.com
https://constitution.com
https://coolopticalillusions.com
https://coupons.com
https://courier-journal.com
https://cpnscdn.com
https://crosscards.com
https://customsoftwareconsult.com
https://cvs.com
https://dailycaller.com
https://dailyliked.net
https://deluxe.com
https://delwebb.com
https://dickmorris.com
https://dictionary.com
https://directrelief.org
https://disconnect.me
https://discovercard.com
https://disqus.com
https://disquscdn.com
https://distancebetweencities.net
https://distancefromto.net
https://distancesbetween.com
https://distancesfrom.com
https://dnsstuff.com
https://dogpile.com
https://dougbatchelor.com
https://downforeveryoneorjustme.com
https://downforme.org
https://downrightnow.com
https://draftexpress.com
https://drugs.com
https://duckduckgo.com
https://ebay.com
https://ebaydesc.com
https://ebayrtm.com
https://ebaystatic.com
https://ebz.io
https://edn.la
https://emaildiscussions.com
https://employeetravelspecials.com
https://enjoybettercoffee.com
https://ensighten.com
https://esumsoft.com
https://excite.com
https://expotv.com
https://facebook.com
https://facebook.net
https://fandango.com
https://fansided.com
https://fastmail.com
https://faxbynet.com
https://fbcdn.net
https://fdlstatic.com
https://fedex.com
https://feedsportal.com
https://fid-inv.com
https://fidelity.com
https://firefox.com
https://firstbankcard.com
https://firstdata.com
https://firstdata.lv
https://firstnational.com
https://flashearth.com
https://flashgot.net
https://fncstatic.com
https://fonts.com
https://force.com
https://foursquare.com
https://foxbusiness.com
https://foxnews.com
https://freedownload3.com
https://freenevadamove.com
https://funcaptcha.co
https://gannett-cdn.com
https://getpocket.com
https://gfx.ms
https://gigya.com
https://go.com
https://google-analytics.com
https://google.com
https://googleusercontent.com
https://googlevideo.com
https://gravatar.com
https://greyhound.com
https://gstatic.com
https://hallmarkecards.com
https://healthgrades.com
https://hint.fm
https://homefinder.com
https://homes.com
https://hoopsstats.com
https://hotmail.com
https://hours-locations.com
https://hoursofoperation.biz
https://house.gov
https://huffingtonpost.com
https://humanewatch.org
https://iconosquare.com
https://iegallery.com
https://iesnare.com
https://illusion-optical.com
https://images-amazon.com
https://imdb.com
https://indeed.com
https://informaction.com
https://inkfrog.com
https://insidermonkey.com
https://inspsearch.com
https://inspsearchapi.com
https://interest.com
https://investorplace.com
https://ireport.com
https://irs.gov
https://isitdownrightnow.com
https://isp.com
https://iwebtool.com
https://ixquick.com
https://java.com
https://jhannuities.com
https://jonathanwornardt.com
https://juno-news.com
https://juno.com
https://kiplinger.com
https://kmart.com
https://lakersground.net
https://lakersnation.com
https://lakersspin.com
https://latimes.com
https://licdn.com
https://linkedin.com
https://live.com
https://live.net
https://liveperson.net
https://macys.com
https://mail.com
https://majorgeeks.com
https://maone.net
https://map.org
https://mapdevelopers.com
https://mapquest.com
https://maps-to-directions.com
https://mapszipcode.com
https://marketrealist.com
https://marketwatch.com
https://masterlockvault.com
https://media-imdb.com
https://media-server.com
https://medicare.gov
https://medicinenet.com
https://merrilledge.com
https://metlife.com
https://metrolist.net
https://michaelmedved.com
https://microsoft.com
https://microsofttranslator.com
https://mixpanel.com
https://ml.com
https://moatads.com
https://money-zine.com
https://moneytalksnews.com
https://morningstar.com
https://mortgagecalculator.org
https://mortgagefit.com
https://mountainfaithband.com
https://mountainmeadowsashland.com
https://mountainmeadowscommunity.com
https://move.com
https://moviefone.com
https://movies.com
https://mozilla.net
https://mozilla.org
https://mozillazine.org
https://mqcdn.com
https://msecnd.net
https://msn.com
https://mstar.com
https://mtmeadows.com
https://mybanktracker.com
https://mywot.com
https://mywot.net
https://nasdaq.com
https://nba.com
https://nbcudigitaladops.com
https://nbcuni.com
https://nccsda.com
https://netdna-cdn.com
https://newser.com
https://newsmax.com
https://newyorklife.com
https://norton.com
https://noscript.net
https://nraendorsedinsurance.com
https://nypost.com
https://officedepot.com
https://omtrdc.net
https://onenote.com
https://onenote.net
https://online-tech-tips.com
https://onlinecreditcenter6.com
https://opera.com
https://optimizely.com
https://ordinationtruth.com
https://ourbravest.org
https://outlook.com
https://pacifictheatres.com
https://paragonrels.com
https://parcelstream.com
https://passport.com
https://passport.net
https://passportimages.com
https://paypal.com
https://paypalobjects.com
https://pbsrc.com
https://peoplefinder.com
https://peoplefinders.com
https://peoplesmart.com
https://persona.org
https://pfx.ms
https://photobucket.com
https://pixfuture.net
https://plenti.com
https://pluggedin.com
https://po.st
https://podomatic.com
https://polarisproject.org
https://popmoney.com
https://poppeeper.com
https://postimg.org
https://powerthesaurus.org
https://presscdn.com
https://private-eclub.com
https://proxyvote.com
https://pubnub.com
https://questdiagnostics.com
https://quora.com
https://quoracdn.net
https://ralphs.com
https://ralphsrewardsoffers.com
https://rapmls.com
https://realtor.com
https://reference.com
https://regards.com
https://regexpal.com
https://rfecom.com
https://riteaid.com
https://rollbar.com
https://ronaldreagan.com
https://rpxnow.com
https://rxlist.com
https://s-microsoft.com
https://s-msn.com
https://salesforceliveagent.com
https://satelliteviews.net
https://satsig.net
https://savondrugs.com
https://sbnation.com
https://scamadviser.com
https://schwab.com
https://schwabcdn.com
https://sears.com
https://secondipity.com
https://securecode.com
https://securesuite.net
https://securetve.com
https://seekingalpha.com
https://selfstorage.com
https://semantictec.com
https://serving-sys.com
https://sfdict.com
https://sfx.ms
https://sharebuilder.com
https://sharethis.com
https://sharylattkisson.com
https://shermanoakshospital.org
https://shld.net
https://si.com
https://sigfig.com
https://silverscreenandroll.com
https://smugmug.com
https://snapengage.com
https://socialsecurity.gov
https://sony.com
https://soundcloud.com
https://speedtest.net
https://spokeo.com
https://ssa.gov
https://ssl-images-amazon.com
https://staceyogg55places.com
https://staples.com
https://starbucks.com
https://static-homes.com
https://static-selfstorage.com
https://streamable.com
https://sucuri.net
https://supportportal.com
https://suzannemann55places.com
https://target.com
https://targetimg1.com
https://targetimg2.com
https://tdameritrade.com
https://tdbank.com
https://tempemail.net
https://thankyou.com
https://thecrux.com
https://thegrio.com
https://thehill.com
https://theinvestornetwork.com
https://theplatform.com
https://thestreet.com
https://thewindowsclub.com
https://time.com
https://topbuzz.com
https://traderjoes.com
https://travelmath.com
https://trbas.com
https://trendmicro.com
https://tribtv.com
https://trouter.io
https://trulia.com
https://truste.com
https://tunein.com
https://turner.com
https://tvgcdn.net
https://tvguide.com
https://twcsportsnet.com
https://twimg.com
https://twitter.com
https://typekit.net
https://ugdturner.com
https://ui-portal.de
https://uicdn.com
https://unionbank.com
https://universalcard.com
https://uolstatic.com
https://ups-mi.net
https://ups.com
https://usatoday.com
https://usbank.com
https://usgs.gov
https://usps.com
https://uverse.com
https://valpak.com
https://vanguard.com
https://verisign.com
https://verizon.com
https://verizonwireless.com
https://vfemail.net
https://vgcontent.info
https://vimeo.com
https://vimeocdn.com
https://vine.co
https://virtualearth.net
https://virustotal.com
https://visualwebsiteoptimizer.com
https://vitals.com
https://vzw.com
https://wal.co
https://wallst.com
https://walmart.com
https://walmartimages.com
https://weaselzippers.us
https://weather.com
https://webmd.com
https://where2getit.com
https://wikipedia.org
https://wildtexas.com
https://wisegeek.com
https://wistia.com
https://wistia.net
https://wlxrs.com
https://wmtips.com
https://wp.com
https://wunderground.com
https://yahoo.com
https://yahooapis.com
https://yandex.st
https://yelp.com
https://yelpcdn.com
https://yimg.com
https://youtube.com
https://ytimg.com
https://zdassets.com
https://zedo.com
https://zendesk.com
https://zillow.com
https://zillowstatic.com
[UNTRUSTED]
degreesexcite.s3.amazonaws.com

[therube]

viewtopic.php?p=78477#p78477

viewtopic.php?p=78482#p78482

[lakrsrool]

Pretty sure that's the URL I start from, I'll check in the morning.

I actually always start with
https://secure.bankofamerica.com/login/ ... /signOn.go
but that rolls over to something like
https://secure.bankofamerica.com/login/sign-in/signOnScreen.go?msg=OnlineIdEmpty&request_locale=&lpOlbResetErrorCounter=0&statusCode=301
so we're essentially at the same place.

OK, nothing to reply to here

try (just as a test, this is *not* a fix!!!!!) disabling the XSS filter (un-check both boxes under NoScript Options > Advanced > XSS)

I can log in irrespective of those settings.

I have said that I have had to already uncheck the lower XSS filter setting for other banks, I now find to avoid the 40 second hang logging into BofA I also have to uncheck the upper XSS filter setting. And I thank you very much for that advice.

ADDENDUM: Oh btw, is there anything that I can tell that bank's tech department

You can tell them that when using the SeaMonkey they state, "Our site may not work properly for the browser you're using." & that is total bogus BS on their part. (Browsers We Recommend)

You can tell them, eh...

OK, nothing to reply to here

My only (Temporarily) Allowed domain is, bankofamerica.com.
Bla! Seems Transfers now require, bac-assets.com.

I've been disabling the lower bottom setting for awhile now because other bank sites won't work with this lower XSS setting enabled) and been logging in but no I'm finding that the website won't finish logging out.

Which others?

Actually doesn't apply here as we're only discussing BoA, but I'll answer the question anyway, the other banks are Union Bank and US bank for what it's worth and involves specific functions and not just logging into the website, but I've solved those issues by disabling the lower XSS setting as mentioned already

as a test, I would...

create a new Profile
install only NoScript
disable all Plugins
restart browser

Test.

I've done this test, it makes no difference. I still get the login delay using XSS in NoScript and do not get the delay when I disable the XSS settings.

Also I've even used another laptop (my wife's who only uses IE or Chrome browsers) and installed Firefox fresh (obviously with no add-ons) and ONLY installed the ONE ADD-ON NoScript and I get the same thing.

I had also tested the BofA login in Firefox on this laptop with the fresh Firefox install prior to adding the NoScript add-on and I was able to login without any hang.

After installing only the NoScript add-on in a "fresh" Firefox install I get the hang when logging in unless I uncheck the XSS settings in NoScript which then solves the hang problem. (I will say the hang on my wife's laptop is less than my laptop, on her's it's 15-20 second hang, on my it's generally 30-40 second hang). This can of course vary according the speed of the computer presumably. That said, regardless of the shorter hang time of 15-20 seconds her computer will still hang during the login without XSS disabled and will not hang during the login with XSS enabled.

Conclusion: On different profiles and even brand new Firefox browser installs the BofA login will hang using NoScript unless I disable XSS in Noscript.

Btw, I'm not sure why it would be that necessary to do these tests since I had already previously disabled all add-ons on my laptop except NoScript and gotten the same results but I've done all these tests anyway.

[is it coincidence that i have to confirm my "challenge" questions this morning?]

OK, not sure how "coincidence" applies but I've confirmed you "challenge" questions this morning.

Now may I ask you a question that I've been asking about for awhile?

You've said

... I can log in irrespective of those settings.

I can also login irrespective of the settings. That is either case I'm able to login eventually, it's just that in one case there is a hang during the login. What I've been asking is even though you can login regardless of the XSS settings do you detect your computer to hang AT ALL if you do not disable the XSS settings in NoScript? In other words are you saying that no matter what you've got the XSS settings at (enabled or disabled) you can login either way without ANY hang at all in either case so there is absolutely NO DIFFERENCE at ALL? Keeping in mind if you do experience some delay logging in you might have a very shot time-frame hang in the event you have a much faster computer than mine of course.

If in your case there's absolutely no difference at all then that's odd since both myself and Ashcan have this same issue yet you do not. It would be nice to know what it is that makes the difference.

[therube]

disable all Plugins

Was that done?

If not, try it.
If so, reboot your computer in Safe Mode with Networking & test again.

What Plugins do you have?
What A/V do you use?

What I've been asking is even though you can login regardless of the XSS settings do you detect your computer to hang AT ALL if you do not disable the XSS settings in NoScript?

No hang (& yes I may not have been to clear on that before).

In other words are you saying that no matter what you've got the XSS settings at (enabled or disabled) you can login either way without ANY hang at all in either case so there is absolutely NO DIFFERENCE at ALL?

Correct.

in the event you have a much faster computer than mine of course.

Not likely.
Intel E4300, 2GB RAM.

[lakrsrool]

disable all Plugins

Was that done?

If not, try it.
If so, reboot your computer in Safe Mode with Networking & test again.

What Plugins do you have?
What A/V do you use?

OK, here you go.

1) First of all, you didn't ask about "Add-ons", but for the record I have disabled all add-ons and then isolated down to the NoScript add-on to determine that NoScirpt was the only add-on that causes the hang logging into BofA website.

2) You're now asking about "Plugins". Yes I have disabled all Plugins and it makes no difference, still the website hangs as a result of the NoScript XSS protection during login.

3) I've rebooted into safe Mode with Networking and found that the problem still persists, that is I still get the hang when logging into the BofA website if I'm using the XSS settings in NoScript.

4) As far as the Plugins that I have, they are the following: 1) Adobe Acrobat 9.5.5.316, 2) Google Earth 7.1.5.1557, 3) Google Update 1.3.28.13, 4) Java (TM) platform SE 8 U60, 5) Microsoft Office 2010, 6) Microsoft Office 2013, 7) OpenH264 Video Codec 1.4, 8) Primetime Content Decryption Model (Adobe), 9) Quicktime 7.7.8, 10) Shock Wave Flash 18.0.0.232, 11) Shock Wave Director version 11.5.8.612, 12) Silverlight 5.1.40728.0, 13) VLC web 2.2.1.0, 14) Windows Live Photo Gallery 15.4.3508.1109

5) The AV I use is Avast 2015.10.2.2218

Btw, I've included (added to what's there already) in the Anti-XXS Protection Exceptions the following:
^https://secure\.bankofamerica\.com/.*
^https://olui2\.fs\.ml\.com/.*
^https://streak\.bankofamerica\.com/.*
^https://ml\.fsdml\.com/.*
^https://uib\.ff.avast\.com/.*
^http://ocsp.\msocsp.\com/.*

Which are sites that I've tracked that occur when logging in (I monitored the Avast scan activity to get most of this). I would have hoped that by entering these sites that NoScript would do what one would would expect, that is skip (exclude) these sites as far as the XSS settings are concerned in NoScript and avoid the hang as a result. Whether XSS is actually skipped who knows (I would think what I've entered is correct).

I have thought of one other thing that has not been considered. I happen to have my BofA checking account linked to my Merrill Edge Brokerage account. And I get this same hang every time I go from the Brokerage account to the Bank account, but I do not get the hang going from the Bank account to the Brokerage account.

Here's the scenario:
1) Logging in the first time from the checking account login page which opens into the Checking Account = HANG
2) Once logged in, going from the Checking account to the linked Brokerage account = NO hang
3) Once logged in, going from the Brokerage account to the Checking account = HANG
4) Logging directly into the Brokerage account (a different login page than the Checking account) = NO hang
5) Going from the Brokerage account (after logging directly into it directly with no problem) to the linked Checking account = HANG

Conclusion: So as we can see every time I go into the Checking account the first time from another location I get a hang, thereafter no more hangs using the website until once again in the event I'm once again going from another location (either logging in the first time or coming from the Brokerage account) into the Checking account then it will hang again, but only hang first entering the Checking account site.

What I'm wondering is could this hang that is caused by the NoScript XSS settings have something to do with the two accounts being linked.

Is your account linked to any other accounts?

This could be the problem in my case possibly, but it's of course just a guess.

Oh and keep in mind that this "hang" issue inadvertently caused by the NoScript XSS settings when entering the "checking account" site has only been occurring since around the time BofA changed their "CHECKING/SAVINGS account LOGIN" page (they discarded the "security" picture displayed on a second page) where both the "Login ID" and "Passcode" are now basically on the same page (for some login pages the "Pass code" is a popup prompt after entering the "ID", other logins they have both boxes displayed at the same time) and there is no longer any "Security" picture used to verify the account.

And it's worth noting that on the other hand the Stand alone "brokerage login page" has not been changed and still does have a "Security" picture for that login (and NoScript XSS does not cause a hang when entering that site)

[therube]

5) The AV I use is Avast 2015.10.2.2218

Do you use its "web shield" feature?
Disable that & test.
(Better, disable all "features" of Avast, or uninstall, & test.)

I've included (added to what's there already) in the Anti-XXS Protection Exceptions the following

I only use whatever is default.

I happen to have my BofA checking account linked to my Merrill Edge Brokerage account.

I have multiple linked accounts, but no Merrill Edge.
(Might be able to scrounge one up. Was in that joint yesterday, & they had a sign up, something like... business customers, if you're going to make cash deposits, you'll be required to have ID. Figure I'll deposit cash into a personal account & then have them transfer from there into the business, & screw their "ID".)