BankID 2.0 bug Topic is solved

[Tomaso]

Long time Pale Moon user, first time poster..

Could you please include this fix in the next Pale Moon release?:
https://bugzilla.mozilla.org/show_bug.cgi?id=1122445

This bug has caused me problems for a long time, and it's the only reason why I need to have another browser installed on my computer.

[Moonchild]

That bug is n/a for Pale Moon because we don't use the C++ CSP parser.
As far as case-sensitivity is concerned, that should all be fixed in commit [72e2cb0] to land in 25.6, although case-sensitivity of paths should not matter as-is.

[Tomaso]

Thanks for your fast response.

That bug is n/a for Pale Moon because we don't use the C++ CSP parser.

The problem seems to be identical though.

There's a compatibility test @ bankid.no here:
https://www.bankid.no/Hjelp-og-nyttige- ... nettleser/
..but this test is flawed!

Pale Moon passes the above test with flying colours (and so did previous versions of Firefox)..
Yet, it's only partialy compatible.
It will work when logging on to your account on certain bank sites.
..but if you try to make a purchase in any webshop, it will always fail with error code "BID-2030":



The same thing happened with previous versions of Firefox.
Chromium browsers has always worked though.

--

As far as case-sensitivity is concerned, that should all be fixed in commit [72e2cb0] to land in 25.6, although case-sensitivity of paths should not matter as-is.

Well, guess I'll just have to wait and see then.
I will report back here, after v25.6 has been released.

[Moonchild]

Well, without specific details or a working test to verify, there really isn't much I can do

As said, the path shouldn't matter - paths are ignored in accordance with CSP1.0 in Pale Moon, anyway. Ports are numbers and should never have case-sensitivity as a result. So, I'm not entirely sure what they are doing or why it fails -- of note, this one Norwegian bank seems to be the only one with an issue
(As an aside, I use BankID myself in Sweden, probably a very similar setup, and it isn't a problem, ever, in Pale Moon).

As a workaround you can always disable CSP for the time being, as well, if you need to make purchases.

[Tomaso]

As a workaround you can always disable CSP for the time being, as well, if you need to make purchases.

Yes, I can confirm that this works (security.csp.enable = false).
..but for now, I think I'd rather use an different browser for this purpose, to maintain security.

I'll keep my fingers crossed for commit #72e2cb0 :)

btw; DNB isn't the only bank affected by this issue.
Other banks, like SpareBank1, have the same problem.

[Tomaso]

Sorry, but that's a negative on the CSP fix.

I just did a clean install of Pale Moon v25.6.0..
When trying to use BankID, it still results in error "BID-2030".

Had a feeling it would be a difficult fix, cuz they seemed to use an awfully long time on fixing it in Firefox too. :(

--

EDIT:
BTW; Is it just me, or does v25.6.0 run a bit faster than the previous version? :)

[Moonchild]

Well, since I really don't know what all they are trying to do with CSP, I can't help.
If anything, they need to make sure that their CSP rules exactly match with what they want to allow. If they require a "named port" then that would be their problem because ports are supposed to be only numbers (that's the only other thing I can think of where case would matter that the indicated BMO bug would solve).

Pale Moon doesn't check paths and all segments are now checked case-insensitive. I don't know what else could be wrong apart from a wrong CSP sent by them.

[Tomaso]

I just sent a message to BankID Norway, explaining the problem.
Don't know how seriously they'll take it though, because I've reported the problem to them before..
They just brushed it off, saying that it was a known problem with Firefox, and that I should use Google Chrome instead (yeah, that would be the day!).

I've PM'ed you a copy of the last message that I sent them, Moonchild (in Norwegian).

[Tomaso]

Well, without specific details or a working test to verify, there really isn't much I can do

Try to launch the BankID login alternative here (it doesn't require any account or card details in advance, and will take you directly to the BankID applet):
https://www.nettkonto.no/

--

EDIT:
Here's a few more:
https://bank.etne-sparebank.no/
https://bank.flekkefjordsparebank.no/
https://bank.luster-sparebank.no/
https://bank.skudeaakra.no/
https://nettbank.fanasparebank.no/
https://nettbank.spareskillingsbanken.no/
https://www.bnbank.no/wps/portal/9235/login/
https://www.nettkonto.no/

For me, BankID 2.0 fails in Pale Moon on every single one of them!

[Moonchild]

Hah!

Code: Select all

[12:27:44.759] Content Security Policy: Failed to parse unrecognized source https://customerportal.edb.com/authpub/bankid%3Bxjsessionid=00006wPkzmsuPqft2-AgACs4m4s:1924cl5bk

Well, that explains everything. That's absolutely invalid as a CSP rule - they are passing a full URL with a custom session ID that includes a colon. You can't pass a full URL like that and expect it to work - they need to adjust their script to only pass the scheme://host:port or scheme://host:port/path as CSP rule. this is not a Pale Moon issue. The Norwegian Bank-ID people need to fix their scripting.

In addition, they need to look at:

Code: Select all

[12:27:48.539] Content Security Policy: The page's settings blocked the loading of a resource: An attempt to execute inline scripts has been blocked @ https://csfe.bankid.no/CentralServerFEJS/a?cid=PkSUn9ZQ5zheIADh
[12:27:48.539] Content Security Policy: The page's settings blocked the loading of a resource at data:text/javascript;base64, ("script-src https://csfe.bankid.no:443 'unsafe-eval'").
[12:27:48.667] Content Security Policy: The page's settings blocked the loading of a resource at https://customerportal.edb.com/authpub/bankid;xjsessionid=00006wPkzmsuPqft2-AgACs4m4s:1924cl5bk ("connect-src https://csfe.bankid.no:443").

...because those rules are all nonsense. Passing eval()ed JS in CSP? Their scripting is terribly broken. Sorry to say.

Of course it will impact any bank that uses bank-ID because they are the SSO provider for Bank-ID as used on the other sites.

[Tomaso]

The Norwegian Bank-ID people need to fix their scripting.

Thanks for your answer, Moonchild.
I understand.

..but as much as I can appreciate that, the simple fact is that it works with other browsers.
And as long as things work with all the big contenders (IE, Chrome, Firefox, etc..) my guess is that they're NOT going to fix it!

Most users don't really care if a web page are following standards or not..
They just want things to work.

Before switching to Pale Moon, I was a long-time Opera user (before it turned to the dark side).
..and I encountered a lot of similar problems.
Opera were really adamant about running a strict policy for their Presto engine, not deviating from web standards..
As a result, a lot of pages wouldn't render properly, and users were forced into using other browsers that contained workarounds.

There will always be a lot of stuff out there that's NOT following the standards.
..and most browsers are filled with various workarounds these days, to fix these problems.
So, how about adding a BankID 2.0 workaround in Pale Moon?

I WILL report your findings to BankID.no of course, but I bet that they already know about it, and just don't care.
So far they've been very arrogant when I've reported problems, and they didn't even have the courtesy to answer my last report regarding this issue.

--

EDIT:
New report sendt to BankID.no.

[squarefractal]

You can't pass a full URL like that and expect it to work - they need to adjust their script to only pass the scheme://host:port or scheme://host:port/path as CSP rule.

As OP said, trying to convince a large institution that their scripting is all wrong is pretty much an exercise in futility, given that it works in other browsers.

Something you could do is to limit the string upto the slash succeeding scheme://host:port/

[ketmar]

or OP can simply turn off CSP, as those bankid monkeys surely doesn't know what they are doing and has it broken anyway.

what will be good is the ability to turn off CSP on per-site basis. this can be done with addon, i think, but is there such addon in existence?

[Moonchild]

I'm not going to break the CSP standard for any one organization. CSP is there to protect the user, not companies. It's an effective way of preventing XSS as a whole -- but only if used properly. If bank-ID is essential for your use, then they are effectively forcing you to configure your browser in a less secure way to use it -- for a financial transaction... just because they don't use it properly.

I don't expect to convince anyone to adhere to standards that are there to protect their users if they don't care. All I can do is point out that what they are doing is wrong, and it's up to them to fix it. This is their core business though as a dedicated Bank-ID company, I'd expect them to be responsive to these kinds of reports. If I lived in Norway and had to deal with this, I'd file official complaints at my bank who can then pass it on to the ID people in an official capacity -- but I don't, so it'll be up to the Norwegians to make a fuss.

It's unfortunate that other browsers apparently use a more lax implementation that somehow swallows this as valid, and that those browsers are used as a measuring rod. I'd call it a security hazard, because if accepts this as valid CSP, then what exactly is it protecting you from?

[Moonchild]

Something you could do is to limit the string upto the slash succeeding scheme://host:port/

There is no requirement for a trailing slash.

[Tomaso]

If I lived in Norway and had to deal with this, I'd file official complaints at my bank who can then pass it on to the ID people in an official capacity

I just did (again)!

[Tomaso]

Moderator note: moved from another thread as off-topic

On a side note, BankID 2.0 coding has STILL not been fixed here in Norway!:
http://forum.palemoon.org/viewtopic.php?f=29&t=8911/
..nor does it seem that they have ANY intention to do so, as their sloppy approach now has been accepted by all other browsers that I'm aware of.

[Moonchild]

netkonto.no currently loads bankid just fine (asks for a personal number) in 25.8

[Tomaso]

netkonto.no currently loads bankid just fine (asks for a personal number) in 25.8

Really!?
Not for me.
It just gives off the error code "BID-2030".
Works just fine in Opera though, which is the only other browser that I've got installed at the moment.
I'll test it with Pale Moon on a different computer later on.

[Moonchild]

I'm sorry, I forgot that I had disabled CSP. You are correct.
I'll see if I can at least make the check more lenient to full URLs, but it's still a terrible practice to have full URLs just plastered in CSP headers.