[Unrelated] NoScript and americanexpress.com

[CyberBob]

I'm unable to download statements... after individually disabling addons, NS is involved...

Fx 39.0, NS 2.6.9.32, ABP 2.6.10, RP 1.0.beta10, Win8.1

URL: https://online.americanexpress.com/myca ... statements

Click-URL: https://online.americanexpress.com/myca ... tatements#

NS domain Settings: americanexpress.com, ensighten.com, aexp-static.com, liveperson.com all enabled (no domains shown blocked)

Steps: americanexpress.com, [login], click billing statements, click item from dated list for PDF download

Results: adobe icon (as circle) spins 3-5 times, no popup, no new tab, no new browser, no statement! Fx download manager shows no downloads...

Browser console (Net,CSS,JS,Security,Logging) immediately after clicking statement link:
TypeError: gBrowser.contentWindow is undefined overlay.js:40:0
about:blank : Unable to run script because scripts are blocked internally. <unknown>
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] 46734947

Debugging attempts:
NS: Options: added americanexpress.com to white-list -Joy
NS: Options: XSS: added exception ^https://www.americanexpress.com+$ -Joy
NS: Options: General: changed temporarily allow 'Base 2nd level Domains' (from Full Addresses) -Joy
NS: Options: Whitelist: added https://online.americanexpress.com/myca ... timage/us/ (did NOT appear?) -Joy
NS: Options: "temporarily enable all this page" -Joy
NS: Options: General: Full URL, Whitelist: enable -all previously set, Embeddings: NOT apply to whitelisted, Block untrusted -Joy
NS: Options: ABE: added exception "# AmericanExpress CRLF Site .americanexpress.com CRLF Accept" -Joy
NS: Options: XSS: added exception ^https://online.americanexpress.com+$ -Joy
NS: Options: Trusted: checked 'cascade scripts' -Joy
NS: Options: XSS: added exception ^https://aexp-static.com+$ -Joy

Net results: cannot download statement(s) while NS active.
AXP tech support: use iE or don't use NS

[barbaz]

Try latest development build? (actually, you have to get it from the addons.mozilla.org page I link below, just get latest rc from that page)

If that doesn't help... did it work before, and if so try downgrading NoScript? If downgrading works, what is the earliest rc to exhibit this problem?
Old NoScript @
https://addons.mozilla.org/addon/noscript/versions
*or*
https://noscript.net/feed?c=100&t=a

EDIT Wait, what's overlay.js? That's not part of NoScript...

[CyberBob]

It'll take several days to run downgrade experiments as you suggest...

Problem has been present for several months. I believe (but have no specific record) of things working earlier this year.

I can't find an explicit reference to overlay.js at americanexpress.com but I did find several webpages at aexp-static.com that reference such; if not aexp, then possibly from ensighten.com (both referenced from americanexpress.com).

Oh, BTW
Fx Options: Content: block popups unchecked -Joy

[barbaz]

It'll take several days to run downgrade experiments as you suggest...

Problem has been present for several months.

Oh... never mind then, it's probably not that. Don't worry about it.

You might want to look at the Browser Console (Ctrl-Shift-J) as the page (the one where you're clicking the link) is loading - a NoScript related message that affects it might turn up there. (turn off CSS warnings, but you probably already knew that )

Another idea: if you access the statement with NS disabled, can you grab the URL? If so, and if that URL will work repeatedly, can you see if it alone loads with NS enabled (meaning, you log in separately and pate it in, not click on the link)? Or do I not make any sense there, because the URL is just the one that doesn't load with NS enabled?

Also, what other extensions do you have?

I can't find an explicit reference to overlay.js at americanexpress.com

It's in an extension you got, not something on the web page. Can't you just click the overlay.js in your Browser Console (Ctrl-Shift-J) to view the source of that script and thus find out what it is?

[CyberBob]

After re-running my test cases, the problem is NOT with NoScript, but with Disconnect 3.15.3.1-signed. I must have messed up enable/disable sequences. Thanks for your help!