Page 1 of 3

Even with workaround of allowing File URLs, Cloudflare DDOS protection breaks unless Noscript is disabled.

Posted: Fri Feb 04, 2022 6:46 am
by Kain Yusanagi
See Subject; if a site uses cloudflare's DDOS protection that waits 5 seconds before you can enter the page, then it just halts immediately on the DDOS prevention page, partially loaded, until Noscript is actively disabled as before. So, it seems the problem is more than just the File URL situation that, however, does work for many other sites that broke, like Youtube.

Re: Even with workaround of allowing File URLs, Cloudflare DDOS protection breaks unless Noscript is disabled.

Posted: Fri Feb 04, 2022 4:29 pm
by barbaz
I'm not able to reproduce this in Vivaldi, with NoScript 11.2.17, using https://techblog.willshouse.com/2012/01 ... er-agents/ as the test page.

Does it happen in a new, separate Chromium profile with NoScript the only extension installed and NoScript left in default configuration?
If not, what if you export your NoScript settings from your main profile & import it into the new profile?

Re: Even with workaround of allowing File URLs, Cloudflare DDOS protection breaks unless Noscript is disabled.

Posted: Sun Feb 06, 2022 12:56 am
by Kain Yusanagi
11.2.17 resolves the issue (HTTPS SyncMessage endpoint issue) and going forward it shouldn't be a problem. The workaround was using 11.2.16 with the File URLs extension switch active, and that only partially resolved things, as reported here.

Re: Even with workaround of allowing File URLs, Cloudflare DDOS protection breaks unless Noscript is disabled.

Posted: Mon Feb 07, 2022 11:22 pm
by pjk
I'm on 11.2.19 using Vivaldi and I'm still having initial page loading problems.

Cleared cache, which helped with the worst issues that nothing loaded or only partial page loaded on first access, but something is clearly still wrong.

I have a variety of extensions installed including uBlock Origin. So I suppose it could be that too, but it "feels" like sites are led to believe that JS is available and so they serve the JS version of a page, and then the page ends up having either no content or minimal content.

Reloading the page usually fixes it, but not always.

At the moment I am trying to use a blog that uses Disqus, but none of the Disqus content was there. After several page reloads, it finally appeared.

Re: Even with workaround of allowing File URLs, Cloudflare DDOS protection breaks unless Noscript is disabled.

Posted: Tue Feb 08, 2022 1:00 am
by barbaz
I can reproduce this problem with NoScript 11.2.19 and the link I posted. Something is very wrong with permissions in the Chromium version of NoScript 11.2.19.

The site is being script-blocked despite being set to TRUSTED. I do have uBlock Origin and had to change the exception rule to this -

Code: Select all

* https://[ff00::]/nscl/chrome-extension:// xmlhttprequest allow
But, this only partially fixed things for some sites. No effect on the case this thread is about.
(Not sure why in Vivaldi the SyncMessage requests are no longer coming from behind-the-scene?)

This error appears both in Web Console and in collected errors -

Code: Select all

SyncMessage.js:255 syncMessage error in https://techblog.willshouse.com/2012/01/03/most-common-user-agents/: Failed to execute 'send' on 'XMLHttpRequest': Failed to load 'https://[ff00::]/nscl/chrome-extension://doojmbjmlfjjnbmnoijecmcbfeoakpjm/s…echblog.willshouse.com%2F2012%2F01%2F03%2Fmost-common-user-agents%2F%22%7D'. (response )
browser.runtime.sendSyncMessage	@	SyncMessage.js:255
fetchPolicy	@	staticNS.js:99
(anonymous)	@	staticNS.js:76
uBlock Origin is not blocking this request, in fact it's not even seeing it in its logger. I don't have any other blocker addons in Vivaldi, and Vivaldi's internal ad-blocker does not have any enabled lists.

Weirdly, while investigating this and trying to grab the above console message, I clicked something in the Web Console (no idea what) and when I went back to the tab with the DoS check page, the site was loaded correctly? Image

Re: Even with workaround of allowing File URLs, Cloudflare DDOS protection breaks unless Noscript is disabled.

Posted: Tue Feb 08, 2022 9:57 am
by pjk
barbaz wrote: ↑Tue Feb 08, 2022 1:00 am I can reproduce this problem with NoScript 11.2.19 and the link I posted. Something is very wrong with permissions in the Chromium version of NoScript 11.2.19.

[removed various technical details]

uBlock Origin is not blocking this request, in fact it's not even seeing it in its logger. I don't have any other blocker addons in Vivaldi, and Vivaldi's internal ad-blocker does not have any enabled lists.

Weirdly, while investigating this and trying to grab the above console message, I clicked something in the Web Console (no idea what) and when I went back to the tab with the DoS check page, the site was loaded correctly? Image

I also continue to have this issue where pages do not initially load, but load after a while, or after some force-reloads.

This is especially problematic when it is 3rd-party content loading within a page that is already loaded OK. I was on a bank site today and various sections use 3rd-party code or contents and oftentimes the fact that that content also doesn't initially load breaks the page even when the "containing" parts are there. (And it also highlights the issue where NS can't detect this embedded content, so even if it includes JS, I can't whitelist it because it does not get enumerated in the NS domain list popup for that page)

I'm wary of setting a global "allow script to load from File:/// URLs" etc because I'm afraid it will open a potential security vuln.

Re: Even with workaround of allowing File URLs, Cloudflare DDOS protection breaks unless Noscript is disabled.

Posted: Tue Feb 08, 2022 12:03 pm
by Menno555
Not only Cloudfare :(
Here since today I suddenly got all kind op problems on all kind of sites which are not there with NoScript disabled. I suspect it updated itself cause yesterday everything was fine and now today with 11.2.19 it's not.
Tried the direct download and install of 11.2.16 like suggested, but it does not help. Tried the "Allow URLs ..." but also not helping.

As soon as NoScript is set to On, this error is in the Chrome Extension Dev tool:

Code: Select all

[NoScript] Cannot collect noscript activity data Error: Could not establish connection. Receiving end does not exist.
    at wrappedSendMessageCallback (browser-polyfill.js:1187) Could not establish connection. Receiving end does not exist. Error: Could not establish connection. Receiving end does not exist.
    at wrappedSendMessageCallback (chrome-extension://doojmbjmlfjjnbmnoijecmcbfeoakpjm/nscl/lib/browser-polyfill.js:1187:20)
error @ log.js:36
All this on up to date browser Vivaldi on a up to date Windows 10 Pro 21H2 system.
So for now waiting for a fix. And compliments on the commitment to solve this! :)

Re: Even with workaround of allowing File URLs, Cloudflare DDOS protection breaks unless Noscript is disabled.

Posted: Tue Feb 08, 2022 5:18 pm
by Solest223
I have the same issue, I noticed this issue in 11.2.16, 11.2.17 seemed to resolve it and it has returned in 11.2.19. As a work around I'm disbaling noscript to pass the cloudflair and then re-enabling noscript I'm in the site and refreshing the page.

Re: Even with workaround of allowing File URLs, Cloudflare DDOS protection breaks unless Noscript is disabled.

Posted: Tue Feb 08, 2022 6:39 pm
by ReveurGAM
Interesting. I use Brave but I have not had any problems specific to Cloudflare being blocked in the past day or two that I'm aware of, although I have long had the issue of very specific Cloudflare URLs requiring that I approve them even though the base URL is already approved.

I posted elsewhere here about my problem with YouTube Studio going from fully usable on Sunday to requiring that I (again) configure NS to make it work on Monday. Since then, I have noticed that a number of websites that I had sitting open and were working on Sunday were being messed up by NS since then. I've had to reload and reconfigure NS for each of these websites. I feel sorry for Mr. Maone and I hope that he'll soon find the solution to this problem soon.

Also, for some websites like Gmail and YouTube, NS has the little red circle with ! in it, but nothing on the list is blocked.

If there is some sort of data I can provide to help, please let me know. W10 Home 10.0.19044, 16 GM RAM, Intel i3-4005U @1.7 GHz Toshiba Satellite C55-B, 1 TB HDD, UEFI BIOS. Brave Version 1.35.100 Chromium: 98.0.4758.87 (Official Build) (64-bit)

Re: Even with workaround of allowing File URLs, Cloudflare DDOS protection breaks unless Noscript is disabled.

Posted: Tue Feb 08, 2022 9:09 pm
by Guest
Echoing pjk's sentiment:

I'm using noscript 11.2.19 on Vivaldi 5.0.2497.48 (Stable channel) (x86_64). I am encountering many sites (initially just workday, but much of the o365 suite is impacted as well) that won't load content.

I've allowed all domains on these sites, yet the noscript icon has a badge showing 1🚫 with "Blocked 1/1 items" on the tooltip. I can confirm the problem is noscript, as disabling the extension or loading the page in a private session without noscript loaded results in everything working fine. I don't see any errors in the javascript console in dev tools, but I may not be looking in the right place. The extension dev tool shows the following error:

Code: Select all

NoScript] Cannot collect noscript activity data Error: Could not establish connection. Receiving end does not exist.
    at wrappedSendMessageCallback (browser-polyfill.js:1187) Could not establish connection. Receiving end does not exist. Error: Could not establish connection. Receiving end does not exist.
    at wrappedSendMessageCallback (chrome-extension://doojmbjmlfjjnbmnoijecmcbfeoakpjm/nscl/lib/browser-polyfill.js:1187:20)
I've allowed access to 'file:///' urls and cleared cache but this doesn't resolve the issue. I've force reloaded up to 10 times without success.

Keeping an eye on this thread. Thanks for looking at this!

Re: Even with workaround of allowing File URLs, Cloudflare DDOS protection breaks unless Noscript is disabled.

Posted: Tue Feb 08, 2022 9:49 pm
by Giorgio Maone
Sorry for not posting earlier here: I believe the problem is fixed for good in NoScript 11.2.21, which is still waiting for review on the Chrome Store.

In the meanwhile you can try it unpacked from https://github.com/hackademix/noscript/ ... ag/11.2.21

Thanks!

Re: Even with workaround of allowing File URLs, Cloudflare DDOS protection breaks unless Noscript is disabled.

Posted: Wed Feb 09, 2022 12:09 am
by ReveurGAM
Giorgio Maone wrote: ↑Tue Feb 08, 2022 9:49 pm Sorry for not posting earlier here: I believe the problem is fixed for good in NoScript 11.2.21, which is still waiting for review on the Chrome Store.

In the meanwhile you can try it unpacked from https://github.com/hackademix/noscript/ ... ag/11.2.21

Thanks!
How do I install it from that?

Re: Even with workaround of allowing File URLs, Cloudflare DDOS protection breaks unless Noscript is disabled.

Posted: Wed Feb 09, 2022 4:30 am
by pjk
Giorgio Maone wrote: ↑Tue Feb 08, 2022 9:49 pm Sorry for not posting earlier here: I believe the problem is fixed for good in NoScript 11.2.21, which is still waiting for review on the Chrome Store.

In the meanwhile you can try it unpacked from https://github.com/hackademix/noscript/ ... ag/11.2.21

Thanks!

This seems to fix it for me in initial tests. πŸ‘πŸ‘

[Extensions page/developer mode ON/Load unpacked/point to unpacked zip folder, open]

This created a 2nd instance of NS in my extensions page, I went to the 11.2.19 details, exported data, disabled 11.2.19. Then went to 11.2.21 details, imported data.

Vivaldi 5.0.2497.32 on macOS Mojave.

Re: Even with workaround of allowing File URLs, Cloudflare DDOS protection breaks unless Noscript is disabled.

Posted: Wed Feb 09, 2022 4:31 am
by pjk
ReveurGAM wrote: ↑Wed Feb 09, 2022 12:09 am
Giorgio Maone wrote: ↑Tue Feb 08, 2022 9:49 pm Sorry for not posting earlier here: I believe the problem is fixed for good in NoScript 11.2.21, which is still waiting for review on the Chrome Store.

In the meanwhile you can try it unpacked from https://github.com/hackademix/noscript/ ... ag/11.2.21

Thanks!
How do I install it from that?

See my instructions in next post after yours.

Re: Even with workaround of allowing File URLs, Cloudflare DDOS protection breaks unless Noscript is disabled.

Posted: Wed Feb 09, 2022 6:32 am
by Giorgio Maone
11.2.21 has gone public in the Chrome Store, you can update or (re)install it from there. Thanks for your patience.