NoScript causes problems with 1Password

[Pillhuhn]

Hello,

the NoScript extension for FIrefox causes several issues with the 1Passoword extension; all of these happen extremely randomly and are not reproducible (at least I have not found a common cause for them), they happen on random websites and not always on the same website:
* logins are not submitted automatically although the setting is turned on;
* pressing the 1Password keyboard shortcut Cmd-\ does not fill the login fields although a login is present (pressing the shortcut a second time will fill it);
* when I have more than one Login saved for a site, the keyboard shortcut invokes the 1Password Login selection window; when I then select one of the Logins and press 'return', sometimes it doesn't select the Login but changes to an empty search window

I already contacted 1Password support (agilebits.com). They told me that their 1Password extension relies heavily on JavaScript and wouldn't be surprised if there are issues with NoScript. The only thing they could suggest was to add an exception (Whitelist) for "localhost:" with different ports, for example "localhost:6258"; but I can only add "localhost:" to the Whitelist list, but no port numbers. In addition, the issues described above are still happening even with localhost: added to the Whitelist.

As soon as I disable or uninstall the NoScript extension, the issues go away. I don't really want to go without NoScript so I hope that anyone has an idea on how to add the appropriate exception or other suggestions to make this work.
Thanks!

[Tom T.]

Please create a clean profile from scratch. Install only NoScript, in its latest version. Leave the defaults. See if the problem persists. If it does not, then NoScript is not the culprit.

Then please try Standard Diagnostic. Let us know the results, thanks.

[Pillhuhn]

Hi Tom,

thanks for your quick reply. I had already tried to just use the 1Password and NoScript extensions without any others and I tried again now. Unfortunately, the issues still persist.

I also went through and disabled and enabled one extension at a time and the only time those issues occurred was when NoScript was enabled. Not sure what's going on.

Any other ideas?

[Tom T.]

I also went through and disabled and enabled one extension at a time and the only time those issues occurred was when NoScript was enabled.

Hi Pillhuhn,

Not exactly sure of what was meant by "disabled and enabled one extension at a time". To eliminate the possibility of extension conflicts, disable *all* extensions, then add back one at a time. (Let's not start with NoScript, since you already tried that. Save it for last.) If no problem after adding #1 back, then *leave it on*, and add #2. Continue adding/enabling. When the problem recurs, we have a possible culprit (hopefully before you get to NS ) .

Did you happen to visit the Standard Diagnostic link? They recommend disabling about half at one time. If it fixes it, you cut that half in half again, etc. If it doesn't, you re-enable them and disable the other half, etc. They have a step-by-step method that walks you through it.

Tip: AdBlockPlus and Ghostery are among common causes of issues, especially if configuration isn't just right.

Perhaps post your entire list of add-ons? And the entire list of what shows in the NS menu of allowed and disallowed when you attempt to use 1Pass?

In the meantime, I'll see if I can get any info on it that might be helpful, as I've never used it.

(Remove "support tech" hat; put on "personal opinion hat")
IMHO, this is why I prefer Password Safe. All user/pass and other info is stored locally, on your own hard drive or even flash drive if you like, so there's no need to connect to a remote server, allow scripts for it to run, worry about the company or if it goes out of business. etc.

If it did fold tomorrow, or my hard drive died (that actually happened), just reinstall the tiny, 2MB program from the installer that you saved, along with your regular backup of the actual password vault, a single file that runs about 16k for my 65 site entries, including notes about "challenge questions", etc. Good to go in 2 minutes. And that file is always encrypted, so even if you lose your flash drive or laptop gets stolen, no one gets into the safe without your (strong, of course) master pw. Cryptography by world-famous cryptogeek Bruce Schneier. YMMV, so we'll still attempt to fix the current issue.

And you're welcome for the reply.

[Pillhuhn]

Hi Tom,

I did exactly what you proposed in your first paragraph. I had disabled all extensions and then added them back one at a time (I guess my "disabled and enabled one extension at a time" wasn't very clear, was it?!? ) with 1Password as the first extension and NoScript the last. I did not encounter any issues with all extensions enabled but NoScript. As soon as NoScript was enabled the issues started again. I also tried just with 1Password and NoScript, with the same issues.

I did visit the Standard Diagnostic link but since I already went through the steps described above and no issues were apparent with all my extensions (but NoScript) enabled I figured it wouldn't add to my trouble shooting. It seemed that any interactions between any of my other extensions would be showing if any other extension was the culprit. In addition, I only use a small number of extensions. They are:
1Password, BetterPrivacy, Download Statusbar, Ghostery, Lazarus: Form Recovery, Perspectives, ReadItLater, Restartless Restart, Tab Mix Plus, Xmarks and NoScript.

NoScript was running with its default settings and allowed and disallowed items.

As for your suggestion to use Password Safe, I never used it or know it, but 1Password works great for me. It also stores all passwords and logins locally. I am not sure why you think it needs to connect to a remote server (the 1Password extension does rely heavily on JavaScript though and I guess this is where the problems are stemming from). Everything is stored in a single file that is encrypted with a strong password. Overall, it sounds a lot like Password Safe (granted the 1Password is considerably larger at 35 MB but still not a big file really). But I might check out Password Safe, it never hurts to know the alternatives...

Anyway, thanks again for your help!
Andre

[Tom T.]

Sounds like there is indeed some kind of conflict between NS and 1P. Thanks for doing the diagnostics.

As for your suggestion to use Password Safe, I never used it or know it, but 1Password works great for me. It also stores all passwords and logins locally. I am not sure why you think it needs to connect to a remote server

Sorry, I was thinking of products like LastPass. My mistake.

(the 1Password extension does rely heavily on JavaScript though and I guess this is where the problems are stemming from).

Sounds like it. If no remote connection is required, I might d/l it (if it's free, or free trial), and check into it as time permits. But surely you aren't the only 1P user who also uses NS. Their support, FAQ, and forum show no mention of anyone else having this problem?

Everything is stored in a single file that is encrypted with a strong password. Overall, it sounds a lot like Password Safe (granted the 1Password is considerably larger at 35 MB but still not a big file really).

More code = more chance for flaws, including conflict with other programs, not just security flaws (although those, too.)

Adobe Reader = ~ 400 MB.
Foxit Reader = ~ 4 MB.

Guess which one has had the most security issues, by a large margin. The ITsec term is "attack surface".

If the job gets done, smaller is better. Occam's Razor, Principle of Least Privilege, etc.

But I might check out Password Safe, it never hurts to know the alternatives...

And it may solve this problem!

I've been using it for years now, flawlessly, no conflicts with anything. Only a single 1.5 MB executable, a 2k stylesheet, a 1k lock-for-editing file, your "safe", and three spporting files, each around 15k. Not a lot to go wrong compared to something 17x as large.

Anyway, thanks again for your help!
Andre

You're very welcome.
Let us know if you find the problem, or if Password Safe works well for you.

[Giorgio Maone]

A little thing I'd ask you to check: could you see whether disabling NoScript Options|Advanced|ABE makes 1Password work?
If it does, you may want to insert the following rule in the beginning of your SYSTEM ruleset (on the same options tab):

Code: Select all

Site localhost
Accept

[Tom T.]

Oops, just noticed that you have Mac. Password Safe is presently only for Windows and Linux-based, although I believe Mac is in the works.

OK, I looked at 1Password.

I am not sure why you think it needs to connect to a remote server

Code: Select all

https://agilebits.com/onepassword/win

The cloud is an option but not a requirement.

And apparently, used often for portability, although it seems that with some effort, one can put it on a flash drive. Password Safe is perfectly happy all by itself on a flash drive, without being first installed on a machine. But you're right, it's not *necessary* to connect.

# Single user license $49.99
# Family license (5 users) $69.99

vs PWS = free for life.... hmmm, I may have made the wrong choice....

Store multiple credit cards to simplify and speed up your online shopping, filling checkout forms with ease. (currently Google Chrome only)

I'll bet the sw for that is in all versions though, which would account for the larger size. And do you want Google knowing all this stuff?

Still, it could be convenient for frequent online shoppers, if it worked in Firefox.
PWS lets you save such info for each entry, though you'd have to copy/paste the CC#. Won't auto-fill it.

1P first released on 2010-04-19.
PWS dates back to 2002; got going strongly in 2003. Almost 12-yr. track record v. 21 months.

Not saying that 1P is *bad*, mind you.
Unfortunately, I don't have a Mac, and so can't really see what's going on. Your issue could be Mac-specific, since they make separate flavors for the various OSs.

Here's one Mac user, quite security-conscious, who found a free pw solution for Fx on Mac: an add-on for Fx, Keychain Services Integration. I know nothing of it. Check it out; maybe the 1P problem will be moot.

[Tom T.]

Sorry guys, Giorgio and I cross-posted.

A little thing I'd ask you to check: could you see whether disabling NoScript Options|Advanced|ABE makes 1Password work?
If it does, you may want to insert the following rule in the beginning of your SYSTEM ruleset (on the same options tab):

Code: Select all

Site localhost
Accept

@ Giorgio: Is there *any* reduction in security at all in that exception? More and more sites seem to be using localhost, or the address 127.0.0.1, for web-based activities, per the ABE FAQ.

If there is no reduction in security, then perhaps that should be a default rule?
If there is the slightest possible increase in security risk, could we be told what the risks are, including worst-case scenario? Thanks.

[Giorgio Maone]

Sorry guys, Giorgio and I cross-posted.

A little thing I'd ask you to check: could you see whether disabling NoScript Options|Advanced|ABE makes 1Password work?
If it does, you may want to insert the following rule in the beginning of your SYSTEM ruleset (on the same options tab):

Code: Select all

Site localhost
Accept

@ Giorgio: Is there *any* reduction in security at all in that exception? More and more sites seem to be using localhost, or the address 127.0.0.1, for web-based activities, per the ABE FAQ.
If there is no reduction in security, then perhaps that should be a default rule?

There is.
If one or more services listening on localhost (e.g. a local development web server, or a web service embedded inside an application such as your antivirus, or 1Password itself) is vulnerable to CSRF, ABE couldn't protect it. One example which comes to mind was a CSRF vulnerability affecting the Eclipse some time ago which allowed remote code execution from the browser, provided that you had Eclipse opened while browsing.
Especially in this case, where the port appears to change randomly (at least according to the 1Password support response) the rule is excessively broad, leaving any local application with HTTP server capabilities unprotected.
Therefore is not the case to suggest this as a general solution, but leave to user to decide about his specific needs.

[Tom T.]

Sorry guys, Giorgio and I cross-posted.

A little thing I'd ask you to check: could you see whether disabling NoScript Options|Advanced|ABE makes 1Password work?
If it does, you may want to insert the following rule in the beginning of your SYSTEM ruleset (on the same options tab):

Code: Select all

Site localhost
Accept

@ Giorgio: Is there *any* reduction in security at all in that exception? More and more sites seem to be using localhost, or the address 127.0.0.1, for web-based activities, per the ABE FAQ.
If there is no reduction in security, then perhaps that should be a default rule?

There is.
If one or more services listening on localhost (e.g. a local development web server, or a web service embedded inside an application such as your antivirus, or 1Password itself) is vulnerable to CSRF, ABE couldn't protect it. One example which comes to mind was a CSRF vulnerability affecting the Eclipse some time ago which allowed remote code execution from the browser, provided that you had Eclipse opened while browsing.
Especially in this case, where the port appears to change randomly (at least according to the 1Password support response) the rule is excessively broad, leaving any local application with HTTP server capabilities unprotected.
Therefore is not the case to suggest this as a general solution, but leave to user to decide about his specific needs.

Thank you very much, Giorgio.

That was my hunch, based on the content of your warning at Hackademix about why third-party HOSTS providers should not use 127.0.0.1 as the blocking DNS substitute (including your proxy conversation with the Hosts provider).

(FWIW, although I still find this "hack" (Hosts) useful for blocking malware, adware, and general annoyances, I took your advice then, and ever since, editing each new Hosts update from localhost to a .0 address as recommended. It takes 15 seconds.)

I'll PM one other minor issue. Thanks again for the information.

[Pillhuhn]

Hi Tom, Giorgio,

thanks for your input. Most of your last two posts went right over my head but I will try Giorgio's suggestion and report back.

As far as 1Password goes, the Mac version was first released in 2006 (https://agilebits.com/onepassword/mac/release_notes). Granted, that is not as long as Password Safe but a pretty long standing record. In addition, there is also a iPhone and iPad version as well as Android and Windows, and you can share the same database via Dropbox between all of them (but you don't need to use Dropbox and could do WiFi sync between the different devices). It works very well across platforms. It works also with Firefox and Safari (the Mac version), including the profiles. I don't know anything about the Windows version but I am pretty sure it was released not long ago.

Anyway, I am just a happy user of 1Password and its browser extensions (I mostly use Firefox but Safari once in a while).

Thanks again, and I will report back.
Andre

[Pillhuhn]

I already can report back that unfortunately, disabling ABE did not change anything.

[Tom T.]

Glad to hear the good news on 1P.
Sorry to hear the fix didn't work.

I'll give Giorgio a personal heads-up on this, in case he missed your reply.

[nonino4all]

I came to this forum after doing a google search on 1Password and NoScript. Never had any issues but now 1Password just stopped filling in my passwords UNLESS I enable javascript. At first I thought I must have done something wrong but after doing a web search it seems that 1Password has changed. It needs javascript enabled now. Today I got a Google alert and something interesting popped up: at macupdate.com somebody from the company gave an advice to a user on how to 'solve' the problem:

just disable the rapid fire protection (set "noscript.clearClick.rapidFireCheck" to "false" in "about:config" in Firefox)

I have no idea what that means. But is it safe? From what I read on the net and out of the publicly available answers of the 1Password staff, they can't or won't change anything. Could you maybe find a workaround/exception for 1Password in one of the next NoScript versions so the two of them will continue to work together?

Thank you for helping me.