Announcement

Collapse
No announcement yet.

Site upgrades just because SHINY

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Site upgrades just because SHINY

    Both of my credit cards upgraded their payment sites, and each time I was forced to reset Firefox and use add-ons with the site one at a time until I figured out what it didn't like (I have a suspicion NoScript is the culprit, although nothing on those sites was or is blocked). Bank tech support is pretty much "everything's fine on our end, have you tried[list of stuff I've already done]?" (eventually, I got one to work...turns out something critical is tied in with an ad/chat server that I never have a need for)

    One of my banks keeps triggering an "XSS injection attack" warning, and I can see nothing suspicious. The site has always been whitelisted and a relative who uses the same bank has never had a problem...I did figure a workaround, but it's annoying and convoluted.

    If you're going to update a site to the newest shiniest thing, please make sure it will work with security add-ons. Just now, I'm trying to log into Chase, and after a "Please enable Javascript" message that never appeared before I had to open Wireshark to figure out that Noscript wasn't seeing an affiliated "cdn" domain.
    Last edited by Dreamstalker; 07-16-2016, 08:44 PM.
    "Any state, any entity, any ideology which fails to recognize the worth, the dignity, the rights of Man...that state is obsolete."
    Tags: None
  • #2
    Especially a bank. What I want, and strongly suspect others also want, out of a bank's website is consistency and reliability. I do not want to have to hunt around for where they've moved the information or function I came for, and I especially don't want to find something suddenly not working when I need it.

    The only noticeable changes my bank's made in the last several years to their site was changing the logos and color scheme to match their new name, and for the app, making it look better on large phones and adding the ability for more than one person to sign in from the same device. And I like it like that. They may well have changed things under the hood, but if so, they've done it without screwing anything up, yay!
    "My in-laws are country people and at night you can hear their distinctive howl."

    Comment

    • #3
      I don't see why a banking site uses a CDN--aren't they primarily for video content? My primary bank's site just works, and it manages to do so completely devoid of junk (only the main site and backend accounts server). The main page does have an animation, but it doesn't cause any Noscript hissyfits. I've never used their mobile app, but the bank manager once said that their system detects mobile devices and delivers the appropriate site so there is no crossover or issues with desktop browser security addons.

      The BigCo creditcard sites (at least the ones I use) now have big flashy buttons and dropdowns (completely unnecessary on the desktop site IMO)...not unlike mobile versions/apps. If my little bank can detect the device they should be able to.
      "Any state, any entity, any ideology which fails to recognize the worth, the dignity, the rights of Man...that state is obsolete."

      Comment

      • #4
        CDNs are used now with images and even scripts these days, mainly to load balance based on geographic region. For nationwide banks, that could be important to make things speedy for their users.

        Comment

        • #5
          That makes sense, although I'm puzzled why "BANKcdn.com" doesn't show up as a separate entry for Noscript's purposes...it's done that before with other sites. If it took packet sniffing for me to figure out (and Bank tech support couldn't tell me anything past "is your browser updated?") how is a Noscript noob* supposed to deal with it?

          * Mom uses Noscript, but expects it to just work with everything by allowing the obvious. This fix was far from obvious, and difficult to explain to a non-techie. If I hadn't run Wireshark on my computer first I don't think she would have ever figured it out
          "Any state, any entity, any ideology which fails to recognize the worth, the dignity, the rights of Man...that state is obsolete."

          Comment

          • #6
            I don't know anything about noscript. I can see it's used by an estimated 2 million people, though.

            What I would expect noscript to do is say, "Hey, just to let you know, we've detected scripts from bankcdn.com, and we've blocked them." It's noscript that's blocking it, and they know what domain they're blocking, so if they're not even telling you what's being blocked, I'd fault noscript rather than the bank, who's simply deciding to serve scripts from a different domain than before. That's really not something to fault a bank for doing.

            Comment

            • #7
              That's what usually happens; sitecdn.com shows up within Noscript as a separate item being blocked by default. If allowing site.com on its own doesn't work, it's easily determined that you also need to allow sitecdn.

              My two credit card sites do not do this; I wasn't even aware of the CDN until I examined my network traffic. The only entry was "SITE.com" as it's always been...I'm not sure if that's the bank or Noscript that done screwed up.
              "Any state, any entity, any ideology which fails to recognize the worth, the dignity, the rights of Man...that state is obsolete."

              Comment

              • #8
                considering the variety of sites that use CDNs these days, the screwup is with noscript having an overly-broad restriction on CDNs. As it stands, if all CDNs are blocked, any site using CloudFlare to protect against DDOS attacks would be blocked. (basically, Noscript really should move to a blacklist of cdns to block, not automatically block them)

                Comment

                • #9
                  The site I use for my math classes just did something along these lines.

                  For days, there was a big banner across the top of every page mentioning "Personalization for the home page coming June 19!" June 19 rolls around, and suddenly the site doesn't work on Chrome anymore. Part of the class is on a site that only works on Chrome so now I have to juggle Chrome and Firefox, all because they wanted to enable personalization.

                  Comment

                  • #10
                    Same thing happened to me with my online classes...certain things only worked in IE, and user agent switcher didn't work when logging in from home. Eventually something got figured out.

                    My dad's bank (the same one that keeps triggering an XSS injection warning for me, I still haven't tracked down a fix that doesn't break something else) updated their site, and it doesn't work with his install of Firefox, and doesn't like Win10's Edge at all. I haven't tried the newest iteration yet...would be funny if the XSS issue was fixed but something else broke.
                    Last edited by Dreamstalker; 07-24-2016, 03:25 AM.
                    "Any state, any entity, any ideology which fails to recognize the worth, the dignity, the rights of Man...that state is obsolete."

                    Comment

                    Previous template Next
                    Working...
                    X