InformAction Forums

I'm a registered user of amazon.de, and I've enabled cookies for this site. Whenever I enter it, it represents 2 areas headed with "New recommendations for you" and "New for you". Both areas are blank, though - I only see images and text for the fraction of a second when the site is loaded. The funny thing is: This is only the case if ssl-images-amazon.com is allowed in Noscript. If I block ssl-images-amazon.com in Noscript, all is well!

I've also tried disabling ABE and/or Secure Cookie Management but to no avail. Only blocking ssl-images-amazon.com helps. But why?

EDIT: If I allow ssl-images-amazon.com in Noscript I get the following errors in the error console:

uncaught exception: [Exception... "Security error" code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location: "https://www.amazon.de/gp/yourstore/275- ... =pd_irl_gw Line: 74"]

window.todaysRecsShoveler is undefined
Quelldatei: https://www.amazon.de/gp/yourstore/275- ... =pd_irl_gw
Zeile 3

Can you see any [NoScript XSS] message in Tools|Error Console?

Giorgio Maone wrote:Can you see any [NoScript XSS] message in Tools|Error Console?

No, I don't. Nevertheless I disabled XSS protection in Noscript but again to no avail.

BTW: Error console also says

www.amazon.de : server does not support RFC 5746, see CVE-2009-3555

and various warnings like

Warnung: Fehler beim Verarbeiten des Wertes für 'white-space'. Deklaration ignoriert.
Quelldatei: https://www.amazon.de/gp/yourstore/275- ... =pd_irl_gw
Zeile: 0

or

Warnung: Unbekannte Eigenschaft '-moz-opacity'. Deklaration ignoriert.
Quelldatei: https://www.amazon.de/gp/yourstore/275- ... =pd_irl_gw
Zeile: 254

if that's somehow relevant

No, unfortunately they're not relevant (one is from Firefox and it's about a know SSL vulnerability affecting most web sites, the other are just CSS validity warnings).
Does disabling all the other extensions or disabling NoScript change this behavior?

Okay, I disabled Noscript, restarted FF and all was well - although the site looked somehow different now. So I activated Noscript and restarted FF once more - and the site still looks well (no blank areas) although ssl-images-amazon.com is now allowed in NS. Funny. Either a cache problem or perhaps a racing condition between NS and another extension?

EDIT: No more errors in the error console.

A similar problem today: When I select, e.g., a book on amazon.de there is an area headed "Customers who bought this article also bought ...". This areas is blank when images-amazon.com is allowed in NS. The error console shows this error:

Fehler: uncaught exception: [Exception... "Security error" code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location: "http://www.amazon.de/gp/product/0470686 ... d_i=301128 Line: 43"]

No XSS errors. And no errors at all if images-amazon.com is blocked.

I can live with that behaviour. But I think that it's generally strange that I can only see something on a website when it's blocked in Noscript Shouldn't it be the other way round?

Whenever I get this error, the line referred to is this: Do you perhaps have DOM storage disabled? The check Amazon does to see if sessionStorage is supported is faulty; it only checks the existence of sessionStorage, now whether using it actually works.

Guest wrote:Whenever I get this error, the line referred to is this:

Code: Select all

                return parseInt( sessionStorage.getItem([...]_pop_gw_ir04purchasepageValue') );

Do you perhaps have DOM storage disabled? The check Amazon does to see if sessionStorage is supported is faulty; it only checks the existence of sessionStorage, now whether using it actually works.

Yes, I have dom.storage.enabled set to false but I don't see the referred line you mentioned in the error console...

But the question remains why I can only see something on a website if it's blocked by Noscript

tlu wrote: But the question remains why I can only see something on a website if it's blocked by Noscript

Probably because there's a <NOSCRIPT> fallback if you've got scripts disabled, while the script which would normally fill the document fails for some bug (the dom storage one above?)

Giorgio Maone wrote:

tlu wrote: But the question remains why I can only see something on a website if it's blocked by Noscript

Probably because there's a <NOSCRIPT> fallback if you've got scripts disabled, while the script which would normally fill the document fails for some bug (the dom storage one above?)

Yes, indeed, you are right. I allowed dom.storage.enabled (only temporarily, of course), allowed ssl-images-amazon.com in NS, and it worked as it should.