Page 1 of 1
[RESOLVED]NS breaks citi.com with "global allow all" enabled
Posted: Fri Mar 04, 2016 9:02 pm
by jzigns
After logging in to citi.com Firefox hangs for 30 or 40 seconds after certain actions. It works fine (no delay) if NoScript is disabled or uninstalled, but if NoScript is enabled there are major hangs ("Firefox not responding") even if "global allow all" is enabled.
From the js console:
Code: Select all
A form was submitted in the windows-1252 encoding which cannot encode all Unicode characters, so user input may get corrupted. To avoid this problem, the page should be changed so that the form is submitted in the UTF-8 encoding either by changing the encoding of the page itself to UTF-8 or by specifying accept-charset=utf-8 on the form element. OutsideView.do
A form was submitted in the windows-1252 encoding which cannot encode all Unicode characters, so user input may get corrupted. To avoid this problem, the page should be changed so that the form is submitted in the UTF-8 encoding either by changing the encoding of the page itself to UTF-8 or by specifying accept-charset=utf-8 on the form element. RedirectToCBOL.do:163:3
TelemetryStopwatch: key "FX_PAGE_LOAD_MS" was already initialized TelemetryStopwatch.jsm:52:0
about:blank : Unable to run script because scripts are blocked internally. <unknown>
about:blank : Unable to run script because scripts are blocked internally. <unknown>
There is a lot more in the console, but I keep getting a spam error from the form if I include it all.
Thanks.
Re: NoScript breaks citi.com with "global allow all" enabled
Posted: Fri Mar 04, 2016 9:22 pm
by barbaz
As a test, please try disabling the XSS filter and see if that mitigates the hanging:
NoScript Options > Advanced > XSS, un-check both boxes
If this works we likely need to make an XSS exception,
this sticky has details on how that works. We will want to make an exception for origin (the one with @) so that citi isn't opened up to actual XSS.
I would also suggest you install
NoRedirect to see exact URLs what's going on and where it hangs, that way you'll know all the URL(s) that needs included in the XSS exception.
If you provide specific URLs (with sensitive data removed!) we'll help you construct the XSS exception.
Re: NoScript breaks citi.com with "global allow all" enabled
Posted: Fri Mar 04, 2016 9:24 pm
by barbaz
jzigns wrote:There is a lot more in the console, but I keep getting a spam error from the form if I include it all.
Hang on, I missed this part of your post. Any of the messages you couldn't post start with "[NoScript" or "[ABE]"? If so please hold off on the advice in my prior post and PM these messages to a mod (me, GµårÐïåñ, therube, or Thrawn); PMs to forum staff are not spam filtered.
Thanks
Re: NoScript breaks citi.com with "global allow all" enabled
Posted: Fri Mar 04, 2016 9:24 pm
by therube
From the Error Console, generally you're going to want the entries that may reference, [NoScript].
Given how banks break, a lot, of late, going to think you're running into the same deal with citi.com?
Do you notice it trying to load any particular site, like,
www.somedumbsite.citi.com - for an extended period of time - just prior or during the hang?
And if you enable full domains, & specifically exclude that particular domain, does the issue subside?
Re: NoScript breaks citi.com with "global allow all" enabled
Posted: Fri Mar 04, 2016 10:01 pm
by barbaz
@jzigns: Got it, thanks.
Nothing there is obviously NoScript related. So please try what I outlined above re: the XSS filter.
Re: NoScript breaks citi.com with "global allow all" enabled
Posted: Fri Mar 04, 2016 10:04 pm
by jzigns
barbaz wrote:As a test, please try disabling the XSS filter and see if that mitigates the hanging:
NoScript Options > Advanced > XSS, un-check both boxes
Disabling the XSS filter worked. I installed noredirect but don't know how to use it.
Re: NoScript breaks citi.com with "global allow all" enabled
Posted: Fri Mar 04, 2016 10:07 pm
by barbaz
oops
Sorry I forgot to post instructions what to do with NoRedirect
Set it up to block all redirects:
Regex: .*
check only "Source"
then delete any pre-existing rules that you think might interfere here
Re: NoScript breaks citi.com with "global allow all" enabled
Posted: Fri Mar 04, 2016 10:37 pm
by jzigns
I accept the following 3 redirects:
After the above redirect is accepted, the page below opens up and hangs for 40 seconds then everything works normally.
Re: NoScript breaks citi.com with "global allow all" enabled
Posted: Fri Mar 04, 2016 11:17 pm
by jzigns
barbaz wrote:As a test, please try disabling the XSS filter and see if that mitigates the hanging:
NoScript Options > Advanced > XSS, un-check both boxes
I tried unchecking just one box each by itself, but both must be unchecked for it to work properly.
Re: NoScript breaks citi.com with "global allow all" enabled
Posted: Fri Mar 04, 2016 11:47 pm
by barbaz
Under Anti-XSS Protection Exceptions, try adding the following new line:
Code: Select all
^@https://online\.citi\.com/.*/flow\.action\?
Does the site now work with XSS filter enabled?
Re: NoScript breaks citi.com with "global allow all" enabled
Posted: Fri Mar 04, 2016 11:57 pm
by jzigns
Yes, it works! Thanks Barbaz! Is that the final solution?
Re: NoScript breaks citi.com with "global allow all" enabled
Posted: Sat Mar 05, 2016 12:11 am
by barbaz
Yes it would be in this case because the XSS filter is not actually tripping.
You're welcome!
