Page 1 of 1
BUG: NoScript causes Firefox to hang when visiting page
Posted: Sun Sep 06, 2015 10:30 pm
by doidy
Hi, I was trying to get into my online banking, when Firefox kept freezing at the login page (had to manually kill FF, which was totally unresponsive and maxing out one core of my CPU). I tracked the culprit down, and it turned out to be NoScript.
Starting from a new blank profile in FF I installed NoScript (and nothing else), and visited the login page (
https://www.nwolb.com ), and it worked fine!
So, I then changed two settings in NoScript, to "Temporarily allow top-level sites by default" and checked the "Base 2nd level Domains" option. When I refreshed the page, bingo!, FF froze as it does with my regular profile. (I use those settings in my usual profile.)
Note: you don't need to bank with my bank to test this out, just visiting the login page is enough to cause the freeze.
Also, if I disable XSS checking within NS, the page works fine.
I'm running FF 40.0.3 on a Linux machine and the latest NoScript 2.6.9.36 from Mozilla addons.
Re: BUG: NoScript causes Firefox to hang when visiting page
Posted: Sun Sep 06, 2015 10:35 pm
by barbaz
Yes it's known from several other reports that lately the XSS filter can cause temporary hanging... but is it actually taking any action?
So when this problem occurs, do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)
Re: BUG: NoScript causes Firefox to hang when visiting page
Posted: Sun Sep 06, 2015 10:58 pm
by doidy
Thanks for getting back so quickly. Unfortunately I can't post the output as the console freezes when the browser freezes! I'll see if I can get a screen grab tomorrow (it's late here now).
Also, if it is of any help to anyone, as a workaround just changing the "Base 2nd level Domains" (under "Temporarily allow top-level sites by default") option to either "Full Address" or "Full Domains" stops the freezing for me (ETA: while keeping XSS checking on), on that particular page. I've not noticed freezes anywhere else yet.
Re: BUG: NoScript causes Firefox to hang when visiting page
Posted: Mon Sep 07, 2015 12:30 am
by barbaz
Probably because it's something a script - one that isn't on the full domain - is doing, that is making the XSS filter either sanitize something or check it in detail. This might suggest window.name tampering?
Re: BUG: NoScript causes Firefox to hang when visiting page
Posted: Mon Sep 07, 2015 8:08 am
by doidy
OK, so I got a screengrab of the console right before the crash (which wasn't easy):
Code: Select all
https://www.dropbox.com/s/ng03j8gnna8seb1/ns_windowgrab.png
Note: I redacted some info that might be used to cause mischief.
Also, note that this site was working a few days ago with the same version of NS and the same settings, so obviously something at that site has changed.
ETA: I just tried the same page on a different machine running the same version of FF and NS (though a different version of Linux) and got the same crash.
ETA2: Link broke somehow, though it worked earlier, so I put it in code brackets.
Re: BUG: NoScript causes Firefox to hang when visiting page
Posted: Mon Sep 07, 2015 3:53 pm
by barbaz
I don't know if those messages are due to the script that's causing the hang or not, but see
viewtopic.php?f=7&t=19388
Re: BUG: NoScript causes Firefox to hang when visiting page
Posted: Mon Sep 07, 2015 6:24 pm
by doidy
Ah right. I thought that was some sort of security thing (the red rectangle in the screengrab hides my IP address).
ETA: I just checked and those lines also appear when it doesn't crash.
Also, I think you're right about the "one that isn't on the full domain", as when I temp allow nwolb.com (in addition to
www.nwolb.com) it also causes the freeze.
OK, thanks anyway.
Re: BUG: NoScript causes Firefox to hang when visiting page
Posted: Mon Sep 07, 2015 6:51 pm
by doidy
That last line in the screengrab always appears when there is a crash, and it is always the last line. It doesn't appear when it works.
Code: Select all
GET https://online.nwolb.com/*SOME NUMBERS*/*SOME LETTERS*
The numbers and letters are the same every time, but I don't want to say what they are in case they are linked to me in any way.
When I type the URL I get a blank page, which has a totally blank page source. Not sure what its for.
Re: BUG: NoScript causes Firefox to hang when visiting page
Posted: Mon Sep 07, 2015 6:56 pm
by barbaz
If you block that request outright, does anything change?
NoScript Options > Advanced > ABE > USER, add
Code: Select all
Site ^https?://online\.nwolb\.com/\d+/[A-Za-z]+
Deny
(It would possibly be better if you replace "\d+" with the actual numbers & "[A-Za-z]+" with the actual letters, although it will block the request either way you might potentially block more than desired with the rule as suggested...)
Re: BUG: NoScript causes Firefox to hang when visiting page
Posted: Mon Sep 07, 2015 7:08 pm
by doidy
No that also crashed. The console output looks more or less identical except that last line is now missing.
Re: BUG: NoScript causes Firefox to hang when visiting page
Posted: Mon Sep 07, 2015 7:14 pm
by doidy
Nailed it!
Added this like above (but removed the other one):
Code: Select all
Site ^https?://chat\.nwolb\.com/nwbpwebassets/bottom\.js
Deny
Page now loads without crashing when I temp allow "nwolb.com".
Re: BUG: NoScript causes Firefox to hang when visiting page
Posted: Mon Sep 07, 2015 7:18 pm
by barbaz
Nice.
Thanks for letting us know the solution. I'll take a look at that script & see if I can spot why it's causing problems.
Re: BUG: NoScript causes Firefox to hang when visiting page
Posted: Mon Sep 07, 2015 7:39 pm
by barbaz
Well it's just as I thought, this script is doing _something_ with [reading/setting] window.name - but looking through minified code is giving me too much of a headache to figure out exactly what though.
Re: BUG: NoScript causes Firefox to hang when visiting page
Posted: Mon Sep 07, 2015 9:45 pm
by therube
I get a prolonged hang, that
eventually subsides.
A bunch of these (if applicable in some fashion?):
Code: Select all
Error: about:blank : Unable to run script because scripts are blocked internally.
A pair like this:
Code: Select all
[ABE] <LOCAL> Deny on {GET https://73.129.119.203:17100/NonExistentImage20576.gif <<< https://www.nwolb.com/login.aspx?refererident=B9050394B0C04B3D6C777738601C3AE0A490C98A&cookieid=207725&CookieCheck=2015-09-07T22:38:34 - 3}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
Code: Select all
[ABE] <LOCAL> Deny on {GET https://127.0.0.1:28635/NonExistentImage23727.gif <<< https://www.nwolb.com/login.aspx?refererident=B9050394B0C04B3D6C777738601C3AE0A490C98A&cookieid=207725&CookieCheck=2015-09-07T22:38:34 - 3}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
And the domains I'm seeing:
Code: Select all
-liveperson.net
-demdex.net
+adobedtm.com
-73.129.119.203
-127.0.0.1
+nwolb.com
And an IFRAME from doubleclick.net, not shown above.
(<IFRAME> block on my end.)