---
** [tickets:#7782] Login failure with Tor Browser and NoScript extension**
**Status:** open
**Milestone:** limbo
**Created:** Tue Oct 21, 2014 11:39 PM UTC by Tim Smith
**Last Updated:** Tue Oct 21, 2014 11:39 PM UTC
**Owner:** nobody
Current Tor Browser Bundle (Firefox ESR 31.2.0 (Tor Browser 4.0)) with current
version of NoScript extension (2.6.9.2). Running on OS X 10.9.5. With the
default Tor setup, one is immediately logged out after logging in to
https://sourceforge.net/auth/.
Login works, since entering a wrong password shows the usual /auth/do_login
"Invalid login" error. Using the correct password returns to
http://sourceforge.net/ (not logged in).
I was unable to reproduce with stock Firefox.
Notice the request for `GET http://sourceforge.net/` half way through:
~~~~~
GET https://sourceforge.net/auth/ [HTTP/1.1 200 OK 3423ms]
[NoScript HTTPS] AUTOMATIC SECURE on https://sourceforge.net:
sourceforge=38fb1da…REDACTED…W6nUu; domain=sourceforge.net; path=/; HttpOnly;
Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://sourceforge.net:
_session_id=fbc2d561a…REDACTED…51a344aad1; domain=sourceforge.net; path=/;
Secure
window.controllers is deprecated. Do not use it for UA detection.
https-everywhere.js:342
downloadable font: download not allowed (font-family: "Ubuntu" style:normal
weight:normal stretch:normal src index:0): status=2147500037
source: (invalid URI) css
GET
https://googleads.g.doubleclick.net/pagead/viewthroughconversion/1002083962/
[HTTP/1.1 302 Found 1639ms]
[NoScript HTTPS] AUTOMATIC SECURE on https://googleads.g.doubleclick.net:
test_cookie=CheckForPermission; domain=.doubleclick.net; path=/; Secure
GET https://www.google.com/ads/user-lists/1002083962/ [HTTP/1.1 200 OK 1977ms]
POST https://sourceforge.net/auth/do_login [HTTP/1.1 302 Found 4541ms]
[NoScript HTTPS] AUTOMATIC SECURE on https://sourceforge.net:
allura-loggedin=true; domain=sourceforge.net; path=/; HttpOnly; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://sourceforge.net:
sourceforge=3a2f3fc…REDACTED…lNlup1Lg==; domain=sourceforge.net; path=/;
HttpOnly; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://sourceforge.net:
_session_id=fbc2d561…REDACTED…a344aad1; domain=sourceforge.net; path=/; Secure
GET http://sourceforge.net/ [HTTP/1.1 200 OK 915ms]
window.controllers is deprecated. Do not use it for UA detection.
https-everywhere.js:342
downloadable font: download not allowed (font-family: "Ubuntu" style:normal
weight:normal stretch:normal src index:0): status=2147500037
source: (invalid URI) css
downloadable font: download not allowed (font-family: "Pictos" style:normal
weight:normal stretch:normal src index:0): status=2147500037
source: (invalid URI)
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the
remote resource at http://a.fsdn.com/con/css/fonts/sftheme/pictos-web.woff.
This can be fixed by moving the resource to the same domain or enabling CORS.
pictos-web.woff
downloadable font: download failed (font-family: "Pictos" style:normal
weight:normal stretch:normal src index:1): bad URI or cross-site access not
allowed
source: http://a.fsdn.com/con/css/fonts/sftheme/pictos-web.woff
GET https://sb.scorecardresearch.com/p [HTTP/1.1 302 Moved Temporarily 1644ms]
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the
remote resource at http://a.fsdn.com/con/css/fonts/sftheme/pictos-web.ttf. This
can be fixed by moving the resource to the same domain or enabling CORS.
pictos-web.ttf
downloadable font: download failed (font-family: "Pictos" style:normal
weight:normal stretch:normal src index:2): bad URI or cross-site access not
allowed
source: http://a.fsdn.com/con/css/fonts/sftheme/pictos-web.ttf
[NoScript HTTPS] AUTOMATIC SECURE on https://sb.scorecardresearch.com:
UID=38017039-95.100.139.120-1413932548; domain=.scorecardresearch.com; path=/;
Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://sb.scorecardresearch.com:
UIDR=1413932548; domain=.scorecardresearch.com; path=/; Secure
GET https://sb.scorecardresearch.com/p2 [HTTP/1.1 200 OK 332ms]
~~~~~
If I either disable the NoScript extension, or fiddle around with the NoScript
options (usually the "Reset" button will do the trick), the problem goes away
and it allows me to log in.
~~~~~
GET https://sourceforge.net/auth/ [HTTP/1.1 200 OK 3258ms]
POST http://gb.symcd.com/ [HTTP/1.1 200 OK 1024ms]
POST http://gb.symcd.com/ [HTTP/1.1 200 OK 1867ms]
[NoScript HTTPS] AUTOMATIC SECURE on https://sourceforge.net:
_session_id=e9550531…REDACTED…20def; domain=sourceforge.net; path=/; Secure
window.controllers is deprecated. Do not use it for UA detection.
https-everywhere.js:342
GET https://fonts.googleapis.com/css [HTTP/1.1 200 OK 2249ms]
GET https://a.fsdn.com/allura/nf/1413560425/_ew_/_slim/css [HTTP/1.1 200 OK
625ms]
GET https://sourceforge.net/nf/tool_icon_css [HTTP/1.1 200 OK 2495ms]
GET https://a.fsdn.com/allura/nf/1413560425/_ew_/theme/sftheme/css/forge.css
[HTTP/1.1 200 OK 2820ms]
GET
https://googleads.g.doubleclick.net/pagead/viewthroughconversion/1002083962/
[HTTP/1.1 302 Found 3975ms]
POST http://clients1.google.com/ocsp [HTTP/1.1 200 OK 884ms]
POST http://vassg141.ocsp.omniroot.com/ [HTTP/1.1 200 OK 865ms]
POST http://clients1.google.com/ocsp [HTTP/1.1 200 OK 1250ms]
downloadable font: download not allowed (font-family: "Ubuntu" style:normal
weight:normal stretch:normal src index:0): status=2147500037
source: (invalid URI) css
GET
https://a.fsdn.com/allura/nf/1413560425/_ew_/theme/sftheme/images/sftheme/logo.png
[HTTP/1.1 200 OK 3234ms]
GET
https://a.fsdn.com/allura/nf/1413560425/_ew_/theme/sftheme/images/sftheme/sf-footer-logo.png
[HTTP/1.1 200 OK 2274ms]
GET https://fonts.gstatic.com/s/ubuntu/v7/_xyN3apAT_yRRDeqB3sPRg.woff [HTTP/1.1
200 OK 2955ms]
POST http://clients1.google.com/ocsp [HTTP/1.1 200 OK 850ms]
[NoScript HTTPS] AUTOMATIC SECURE on https://googleads.g.doubleclick.net:
test_cookie=CheckForPermission; domain=.doubleclick.net; path=/; Secure
GET https://www.google.com/ads/user-lists/1002083962/ [HTTP/1.1 200 OK 2573ms]
POST http://clients1.google.com/ocsp [HTTP/1.1 200 OK 832ms]
GET https://sourceforge.net/favicon.ico#-moz-resolution=16,16 [0ms]
POST https://sourceforge.net/auth/do_login [HTTP/1.1 302 Found 3023ms]
GET https://sourceforge.net/favicon.ico [HTTP/1.1 200 OK 2241ms]
[NoScript HTTPS] AUTOMATIC SECURE on https://sourceforge.net:
allura-loggedin=true; domain=sourceforge.net; path=/; HttpOnly; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://sourceforge.net:
sourceforge=2e3d43…REDACTED…CIh1Lg==; domain=sourceforge.net; path=/; HttpOnly;
Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://sourceforge.net:
_session_id=e9550…REDACTED…720def; domain=sourceforge.net; path=/; Secure
GET https://sourceforge.net/ [HTTP/1.1 200 OK 4117ms]
[NoScript HTTPS] Secure cookie set by sourceforge.net:
sourceforge=7d72c5…REDACTED…UQirdS4=; domain=sourceforge.net; path=/; HttpOnly;
Secure
window.controllers is deprecated. Do not use it for UA detection.
https-everywhere.js:342
GET https://a.fsdn.com/con/css/sf.css [HTTP/1.1 200 OK 1478ms]
GET https://a.fsdn.com/con/img/sftheme/favicon.ico [HTTP/1.1 200 OK 2049ms]
GET https://secure.gravatar.com/avatar/222a7d8f00720ce2bfe50d1297f81650
[HTTP/1.1 200 OK 2187ms]
GET https://c.fsdn.com/allura/p/miranda/icon [HTTP/1.1 200 OK 6218ms]
GET https://c.fsdn.com/allura/p/portableapps/icon [HTTP/1.1 200 OK 4530ms]
GET https://c.fsdn.com/allura/p/birtihubftype/icon [HTTP/1.1 200 OK 4246ms]
GET https://c.fsdn.com/allura/p/exo/icon [HTTP/1.1 200 OK 3089ms]
GET https://c.fsdn.com/allura/p/scummvm/icon [HTTP/1.1 200 OK 3846ms]
GET https://c.fsdn.com/allura/p/zabbix/icon [HTTP/1.1 200 OK 4418ms]
GET https://c.fsdn.com/allura/p/winpenpack/icon [HTTP/1.1 200 OK 3790ms]
GET https://c.fsdn.com/allura/p/reactos/icon [HTTP/1.1 200 OK 4352ms]
GET https://c.fsdn.com/allura/p/gnuplot/icon [HTTP/1.1 200 OK 6291ms]
GET https://c.fsdn.com/allura/p/clamav/icon [HTTP/1.1 200 OK 4008ms]
GET https://c.fsdn.com/allura/p/shareaza/icon [HTTP/1.1 200 OK 5040ms]
GET https://c.fsdn.com/allura/p/gretl/icon [HTTP/1.1 200 OK 4659ms]
GET https://c.fsdn.com/allura/p/tenfourfox/icon [HTTP/1.1 200 OK 5149ms]
Loading mixed (insecure) display content on a secure page
"http://b.scorecardresearch.com/p?c1=2&c2=6035546&c3=&c4=&c5=&c6=&c15=&cj=1"[Learn
More] sourceforge.net
GET https://sb.scorecardresearch.com/p [HTTP/1.1 302 Moved Temporarily 4495ms]
An error occurred during a connection to secure.gravatar.com:443.
SSL received a record with an unknown content type.
(Error code: ssl_error_rx_unknown_record_type)
downloadable font: download not allowed (font-family: "Pictos" style:normal
weight:normal stretch:normal src index:0): status=2147500037
source: (invalid URI)
GET https://a.fsdn.com/con/img/sftheme/logo.png [HTTP/1.1 200 OK 1007ms]
GET https://a.fsdn.com/con/img/sftheme/carbon.png [HTTP/1.1 200 OK 1104ms]
GET https://a.fsdn.com/con/img/sftheme/sf-footer-logo.png [HTTP/1.1 200 OK
977ms]
GET https://a.fsdn.com/con/css/fonts/sftheme/pictos-web.woff [HTTP/1.1 200 OK
1761ms]
POST http://gtssldv-ocsp.geotrust.com/ [HTTP/1.1 200 OK 970ms]
POST http://vassg141.ocsp.omniroot.com/ [HTTP/1.1 200 OK 912ms]
POST http://gtssldv-ocsp.geotrust.com/ [HTTP/1.1 200 OK 1774ms]
[NoScript HTTPS] AUTOMATIC SECURE on https://sb.scorecardresearch.com:
UID=89d5dd3-2.23.107.120-1413933512; domain=.scorecardresearch.com; path=/;
Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://sb.scorecardresearch.com:
UIDR=1413933512; domain=.scorecardresearch.com; path=/; Secure
GET https://sb.scorecardresearch.com/p2 [HTTP/1.1 200 OK 631ms]
~~~~~
The only real difference I spot is that the sourceforge= cookie value is much
longer when it fails than when it succeeds, at least in this instance (384
chars vs. 244 chars, encoded).
---
Sent from sourceforge.net because [email protected] is subscribed to
https://sourceforge.net/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at
https://sourceforge.net/p/allura/admin/tickets/options. Or, if this is a
mailing list, you can unsubscribe from the mailing list.
