#7782 Login failure with Tor Browser and NoScript extension
Originally created by: thimsmith
Current Tor Browser Bundle (Firefox ESR 31.2.0 (Tor Browser 4.0)) with current version of NoScript extension (2.6.9.2). Running on OS X 10.9.5. With the default Tor setup, one is immediately logged out after logging in to https://sourceforge.net/auth/.
Login works, since entering a wrong password shows the usual /auth/do_login "Invalid login" error. Using the correct password returns to http://sourceforge.net/ (not logged in).
I was unable to reproduce with stock Firefox.
Notice the request for GET http://sourceforge.net/ half way through:
GET https://sourceforge.net/auth/ [HTTP/1.1 200 OK 3423ms] [NoScript HTTPS] AUTOMATIC SECURE on https://sourceforge.net: sourceforge=38fb1da…REDACTED…W6nUu; domain=sourceforge.net; path=/; HttpOnly; Secure [NoScript HTTPS] AUTOMATIC SECURE on https://sourceforge.net: _session_id=fbc2d561a…REDACTED…51a344aad1; domain=sourceforge.net; path=/; Secure window.controllers is deprecated. Do not use it for UA detection. https-everywhere.js:342 downloadable font: download not allowed (font-family: "Ubuntu" style:normal weight:normal stretch:normal src index:0): status=2147500037 source: (invalid URI) css GET https://googleads.g.doubleclick.net/pagead/viewthroughconversion/1002083962/ [HTTP/1.1 302 Found 1639ms] [NoScript HTTPS] AUTOMATIC SECURE on https://googleads.g.doubleclick.net: test_cookie=CheckForPermission; domain=.doubleclick.net; path=/; Secure GET https://www.google.com/ads/user-lists/1002083962/ [HTTP/1.1 200 OK 1977ms] POST https://sourceforge.net/auth/do_login [HTTP/1.1 302 Found 4541ms] [NoScript HTTPS] AUTOMATIC SECURE on https://sourceforge.net: allura-loggedin=true; domain=sourceforge.net; path=/; HttpOnly; Secure [NoScript HTTPS] AUTOMATIC SECURE on https://sourceforge.net: sourceforge=3a2f3fc…REDACTED…lNlup1Lg==; domain=sourceforge.net; path=/; HttpOnly; Secure [NoScript HTTPS] AUTOMATIC SECURE on https://sourceforge.net: _session_id=fbc2d561…REDACTED…a344aad1; domain=sourceforge.net; path=/; Secure GET http://sourceforge.net/ [HTTP/1.1 200 OK 915ms] window.controllers is deprecated. Do not use it for UA detection. https-everywhere.js:342 downloadable font: download not allowed (font-family: "Ubuntu" style:normal weight:normal stretch:normal src index:0): status=2147500037 source: (invalid URI) css downloadable font: download not allowed (font-family: "Pictos" style:normal weight:normal stretch:normal src index:0): status=2147500037 source: (invalid URI) Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://a.fsdn.com/con/css/fonts/sftheme/pictos-web.woff. This can be fixed by moving the resource to the same domain or enabling CORS. pictos-web.woff downloadable font: download failed (font-family: "Pictos" style:normal weight:normal stretch:normal src index:1): bad URI or cross-site access not allowed source: http://a.fsdn.com/con/css/fonts/sftheme/pictos-web.woff GET https://sb.scorecardresearch.com/p [HTTP/1.1 302 Moved Temporarily 1644ms] Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://a.fsdn.com/con/css/fonts/sftheme/pictos-web.ttf. This can be fixed by moving the resource to the same domain or enabling CORS. pictos-web.ttf downloadable font: download failed (font-family: "Pictos" style:normal weight:normal stretch:normal src index:2): bad URI or cross-site access not allowed source: http://a.fsdn.com/con/css/fonts/sftheme/pictos-web.ttf [NoScript HTTPS] AUTOMATIC SECURE on https://sb.scorecardresearch.com: UID=38017039-95.100.139.120-1413932548; domain=.scorecardresearch.com; path=/; Secure [NoScript HTTPS] AUTOMATIC SECURE on https://sb.scorecardresearch.com: UIDR=1413932548; domain=.scorecardresearch.com; path=/; Secure GET https://sb.scorecardresearch.com/p2 [HTTP/1.1 200 OK 332ms]
If I either disable the NoScript extension, or fiddle around with the NoScript options (usually the "Reset" button will do the trick), the problem goes away and it allows me to log in.
GET https://sourceforge.net/auth/ [HTTP/1.1 200 OK 3258ms] POST http://gb.symcd.com/ [HTTP/1.1 200 OK 1024ms] POST http://gb.symcd.com/ [HTTP/1.1 200 OK 1867ms] [NoScript HTTPS] AUTOMATIC SECURE on https://sourceforge.net: _session_id=e9550531…REDACTED…20def; domain=sourceforge.net; path=/; Secure window.controllers is deprecated. Do not use it for UA detection. https-everywhere.js:342 GET https://fonts.googleapis.com/css [HTTP/1.1 200 OK 2249ms] GET https://a.fsdn.com/allura/nf/1413560425/_ew_/_slim/css [HTTP/1.1 200 OK 625ms] GET https://sourceforge.net/nf/tool_icon_css [HTTP/1.1 200 OK 2495ms] GET https://a.fsdn.com/allura/nf/1413560425/_ew_/theme/sftheme/css/forge.css [HTTP/1.1 200 OK 2820ms] GET https://googleads.g.doubleclick.net/pagead/viewthroughconversion/1002083962/ [HTTP/1.1 302 Found 3975ms] POST http://clients1.google.com/ocsp [HTTP/1.1 200 OK 884ms] POST http://vassg141.ocsp.omniroot.com/ [HTTP/1.1 200 OK 865ms] POST http://clients1.google.com/ocsp [HTTP/1.1 200 OK 1250ms] downloadable font: download not allowed (font-family: "Ubuntu" style:normal weight:normal stretch:normal src index:0): status=2147500037 source: (invalid URI) css GET https://a.fsdn.com/allura/nf/1413560425/_ew_/theme/sftheme/images/sftheme/logo.png [HTTP/1.1 200 OK 3234ms] GET https://a.fsdn.com/allura/nf/1413560425/_ew_/theme/sftheme/images/sftheme/sf-footer-logo.png [HTTP/1.1 200 OK 2274ms] GET https://fonts.gstatic.com/s/ubuntu/v7/_xyN3apAT_yRRDeqB3sPRg.woff [HTTP/1.1 200 OK 2955ms] POST http://clients1.google.com/ocsp [HTTP/1.1 200 OK 850ms] [NoScript HTTPS] AUTOMATIC SECURE on https://googleads.g.doubleclick.net: test_cookie=CheckForPermission; domain=.doubleclick.net; path=/; Secure GET https://www.google.com/ads/user-lists/1002083962/ [HTTP/1.1 200 OK 2573ms] POST http://clients1.google.com/ocsp [HTTP/1.1 200 OK 832ms] GET https://sourceforge.net/favicon.ico#-moz-resolution=16,16 [0ms] POST https://sourceforge.net/auth/do_login [HTTP/1.1 302 Found 3023ms] GET https://sourceforge.net/favicon.ico [HTTP/1.1 200 OK 2241ms] [NoScript HTTPS] AUTOMATIC SECURE on https://sourceforge.net: allura-loggedin=true; domain=sourceforge.net; path=/; HttpOnly; Secure [NoScript HTTPS] AUTOMATIC SECURE on https://sourceforge.net: sourceforge=2e3d43…REDACTED…CIh1Lg==; domain=sourceforge.net; path=/; HttpOnly; Secure [NoScript HTTPS] AUTOMATIC SECURE on https://sourceforge.net: _session_id=e9550…REDACTED…720def; domain=sourceforge.net; path=/; Secure GET https://sourceforge.net/ [HTTP/1.1 200 OK 4117ms] [NoScript HTTPS] Secure cookie set by sourceforge.net: sourceforge=7d72c5…REDACTED…UQirdS4=; domain=sourceforge.net; path=/; HttpOnly; Secure window.controllers is deprecated. Do not use it for UA detection. https-everywhere.js:342 GET https://a.fsdn.com/con/css/sf.css [HTTP/1.1 200 OK 1478ms] GET https://a.fsdn.com/con/img/sftheme/favicon.ico [HTTP/1.1 200 OK 2049ms] GET https://secure.gravatar.com/avatar/222a7d8f00720ce2bfe50d1297f81650 [HTTP/1.1 200 OK 2187ms] GET https://c.fsdn.com/allura/p/miranda/icon [HTTP/1.1 200 OK 6218ms] GET https://c.fsdn.com/allura/p/portableapps/icon [HTTP/1.1 200 OK 4530ms] GET https://c.fsdn.com/allura/p/birtihubftype/icon [HTTP/1.1 200 OK 4246ms] GET https://c.fsdn.com/allura/p/exo/icon [HTTP/1.1 200 OK 3089ms] GET https://c.fsdn.com/allura/p/scummvm/icon [HTTP/1.1 200 OK 3846ms] GET https://c.fsdn.com/allura/p/zabbix/icon [HTTP/1.1 200 OK 4418ms] GET https://c.fsdn.com/allura/p/winpenpack/icon [HTTP/1.1 200 OK 3790ms] GET https://c.fsdn.com/allura/p/reactos/icon [HTTP/1.1 200 OK 4352ms] GET https://c.fsdn.com/allura/p/gnuplot/icon [HTTP/1.1 200 OK 6291ms] GET https://c.fsdn.com/allura/p/clamav/icon [HTTP/1.1 200 OK 4008ms] GET https://c.fsdn.com/allura/p/shareaza/icon [HTTP/1.1 200 OK 5040ms] GET https://c.fsdn.com/allura/p/gretl/icon [HTTP/1.1 200 OK 4659ms] GET https://c.fsdn.com/allura/p/tenfourfox/icon [HTTP/1.1 200 OK 5149ms] Loading mixed (insecure) display content on a secure page "http://b.scorecardresearch.com/p?c1=2&c2=6035546&c3=&c4=&c5=&c6=&c15=&cj=1"[Learn More] sourceforge.net GET https://sb.scorecardresearch.com/p [HTTP/1.1 302 Moved Temporarily 4495ms] An error occurred during a connection to secure.gravatar.com:443. SSL received a record with an unknown content type. (Error code: ssl_error_rx_unknown_record_type) downloadable font: download not allowed (font-family: "Pictos" style:normal weight:normal stretch:normal src index:0): status=2147500037 source: (invalid URI) GET https://a.fsdn.com/con/img/sftheme/logo.png [HTTP/1.1 200 OK 1007ms] GET https://a.fsdn.com/con/img/sftheme/carbon.png [HTTP/1.1 200 OK 1104ms] GET https://a.fsdn.com/con/img/sftheme/sf-footer-logo.png [HTTP/1.1 200 OK 977ms] GET https://a.fsdn.com/con/css/fonts/sftheme/pictos-web.woff [HTTP/1.1 200 OK 1761ms] POST http://gtssldv-ocsp.geotrust.com/ [HTTP/1.1 200 OK 970ms] POST http://vassg141.ocsp.omniroot.com/ [HTTP/1.1 200 OK 912ms] POST http://gtssldv-ocsp.geotrust.com/ [HTTP/1.1 200 OK 1774ms] [NoScript HTTPS] AUTOMATIC SECURE on https://sb.scorecardresearch.com: UID=89d5dd3-2.23.107.120-1413933512; domain=.scorecardresearch.com; path=/; Secure [NoScript HTTPS] AUTOMATIC SECURE on https://sb.scorecardresearch.com: UIDR=1413933512; domain=.scorecardresearch.com; path=/; Secure GET https://sb.scorecardresearch.com/p2 [HTTP/1.1 200 OK 631ms]
The only real difference I spot is that the sourceforge= cookie value is much longer when it fails than when it succeeds, at least in this instance (384 chars vs. 244 chars, encoded).
Works fine for me with standard Firefox (33.0.1) and JS disabled, and with NoScript. I don't know what the Tor Browser bundle does, but it must be involved in the issue.