InformAction Forums

Hi, I've noticed an intranet site hard-freezes FireFox (39.0a2 Linux x86-64), and instead of just launching Chrome, today decided to investigate. By hard-freeze I mean it stops responding totally, I don't even get the "unresponsive script" dialog. A clean profile with no extensions doesn't reproduce the issue, installing Noscript in same profile does reproduce the issue, even with scripts enabled globally. My Noscript version is 2.6.9.22, and I've also tried the development version (2.6.9.22rc1) with same results. A Mozilla bugreport is here: https://crash-stats.mozilla.com/report/ ... 8dd2150430

I attached a debugger: the string the regexp is choking on looks like my ldap group memberships, but I don't see the uncompiled regexp itself. The ldap groups look like this (sanitized and truncated):
";##DOMAIN\\Domain Users;Everyone;BUILTIN\\Users;NT AUTHORITY\\NETWORK;NT AUTHORITY\\Authenticated Users;NT AUTHORITY\\This Organization;DOMAIN\\Password Policy for Advanced Users;DOMAIN\\Access to blah", etc. I dropped it into python and the set of special characters (other than A-Za-z0-9) is: " #$&'()-|;\\_", and total length is 5849.

I narrowed it down the the XSS checkbox: "Turn cross-site POST requests into data-less GET requests". With that checkbox unchecked, the problem no longer manifests. Let me know if I can help narrow down the issue further.

Thanks!

Any non-default XSS related regexp's ?

(Sounds similar to https://bugzilla.mozilla.org/show_bug.cgi?id=1012491 FWIW.)

No, I created a clean profile to repro.

Does it also happen in FF 37 (release)?

Yes, also confirmed on Firefox 37.0.2 with NoScript 2.6.9.22rc1.