########################################################################################## ADBLK-24: Barclays Bank Login Page Hangs ########################################################################################## Issue Type: Bug ----------------------------------------------------------------------------------------- Issue Information ==================== Priority: Major Status: Closed Resolution: Fixed (2021-05-26 17:36:14) Project: Adblock Lists (ADBLK) Reported By: btasker Assigned To: btasker Time Estimate: 0 minutes Time Logged: 0 minutes ----------------------------------------------------------------------------------------- Issue Description ================== Barclays, unfortunately, have quite a privacy (and arguably, security) hostile login page, as it runs a tracker. However, it's not currently possible to enter details and login because they've not coded that tracker defensively. When you hit https://bank.barclays.co.uk/olb/authlogin/loginAppContainer.do#/identification the page will render, but if you try and click into a field to enter details (say, your last name), nothing will happen and keystrokes won't appear to register. This is because in the background, javascript is repeatedly trying to send events to /ftb/img/clarisite/cls_rpt.gif: -- BEGIN SNIPPET -- https://bank.barclays.co.uk/ftb/img/clarisite/cls_rpt.gif?v=2&sn=2&p=dc60c4b5-c132-454e-becb-cc1ecd8203d7&sp=%2Fidentification&e=kibg7o9s~22~-~Nm_GET*u_L2F1dGhsb2dpbi9wYXJ0aWFscy9oZWFkZXIuaHRtbD92PTE2MDM3MTIwMDc2ODI%3D*uh_-6yzndd*d_33*s_5k~-~-~~kibg7oa5~22~-~Nm_GET*u_L2F1dGhsb2dpbi9wYXJ0aWFscy9mb290ZXIuaHRtbD92PTE2MDM3MTIwMDc2ODI%3D*uh_-z3wd3z*d_3f*s_5k~-~-~~kibg7p0e~22~-~Nm_GET*u_L2F1dGhsb2dpbi9wYXJ0aWFscy9pZGVudGlmaWNhdGlvbi5odG1sP3Y9MTYwMzcxMjAwNzY4Mg%3D%3D*uh_rtrxke*d_tk*s_5k~-~-~~kibg7pef~27~-~-~co.3_MTV3XzF3~-~~kibg7peh~29~-~N15w_1w~ft.0_0~-~~kibg7pf6~35~-~N1_kibg7nqj*2_0*4_kibg7nqm*5_kibg7nqv*7_kibg7nqv*8_kibg7nr5*10_kibg7nrg*13_kibg7nss*15_kibg7nt7*17_kibg7nvx*19_kibg7o71*20_kibg7o71*21_kibg7o75*nt_0*rc_0*bt_1jr~vn.2_U3RlcCAxOiBZb3VyIGRldGFpbHMgLSBMb2dpbiAtIG15QmFyY2xheXM%3D~-~~kibg7pfk~22~-~Nm_POST*u_L29sYi9hdXRobG9naW4vY29udGVudC9TUlBGb290ZXJDb250ZW50Lmpzb24%3D*uh_p5hej0*d_15l*s_5k~-~-~~kibg7pgk~22~-~Nm_GET*u_L2F1dGhsb2dpbi9wYXJ0aWFscy9lcnJvci1tZXNzYWdlcy1iYWNrZW5kLmh0bWw%2Fdj0xNjAzNzEyMDA3Njgy*uh_-nlyyfw*d_13c*s_5k~-~-~~kibg7po4~22~-~Nm_POST*u_L29sYi9hdXRobG9naW4vY29udGVudC9Mb2dpblN0ZXAxTm9TYXZlZE1lbWJlckRlY291cGxlZC5qc29u*uh_-xsx3eu*d_1au*s_5k~-~-~~kibg7poo~22~-~Nm_POST*u_L29sYi9hdXRobG9naW4vYnJvd3NlckRhdGEuanNvbg%3D%3D*uh_jufh1n*d_1bd*s_5k~-~-~~kibg7pov~34~-~NcGFnZU5hbWU%3D_b25sOmxvZ29uOkxvZ2luTG9naW46U3RlcDFZb3VyRGV0YWlsc0xvZ2luTXlCYXJjbGF5cw%3D%3D~-~-~~kibg7qi9~29~-~N15w_1w~ft.0_0~-&clsjsv=5.6.150B55&pid=dc60c4b5-c132-454e-becb-cc1ecd8203d7 -- END SNIPPET -- However, this path is blocked in the EasyPrivacy List The calls are triggered after calls to smetrics.barclays.co.uk like the one below -- BEGIN SNIPPET -- https://smetrics.barclays.co.uk/b/ss/barukprod/1/H.25.1/s05467886217368?AQB=1&ndh=1&t=5%2F11%2F2020%208%3A42%3A17%206%200&ns=barclaysuk&cdp=3&g=https%3A%2F%2Fbank.barclays.co.uk%2Folb%2Fauthlogin%2FloginAppContainer.do%23%2Fidentification&cc=GBP&c16=%2Folb%2Fauth%2FLoginLink.action&c17=D%3Dc16&pe=lnk_o&pev2=Onl%3AStep1WhoAreYouLogInMyBarclays%3Alogon%3ALogin%3AmembershipNumber&s=1920x1080&c=24&j=1.6&v=N&k=Y&bw=1920&bh=852&p=Chromium%20PDF%20Plugin%3BChromium%20PDF%20Viewer%3B&AQE=1 -- END SNIPPET -- Blocking this domain in it's entirety resolves the issue. Based on the path name, and filenames, the underlying "solution" is probably Clarisite Analytics (well, Glassbox now - https://glassboxdigital.com/ ) version 5.6.15. ----------------------------------------------------------------------------------------- Activity ========== ----------------------------------------------------------------------------------------- 2020-12-05 08:58:37 btasker ----------------------------------------------------------------------------------------- If you leave the page dormant in a tab for a while, and then go back, the JS gives up and you can enter details. There's an event that fires, trying to report back to cls_rpt.gif whenever you bring any form element into focus. ----------------------------------------------------------------------------------------- 2020-12-05 09:10:10 btasker ----------------------------------------------------------------------------------------- Have added a domain block for smetrics.barclays.co.uk along with an explicit path block for bank.barclays.co.uk/ftb/img/clarisite so that if this comes up again, it'll be easier to refer back to this issue. With those blocked, the login page functions without issue. https://github.com/bentasker/adblocklists/commit/58c07008c4134f94c466a82843bba90737b8be2d ----------------------------------------------------------------------------------------- 2020-12-07 15:52:56 git ----------------------------------------------------------------------------------------- -- BEGIN QUOTE -- Repo: adblocklists Commit: 58c07008c4134f94c466a82843bba90737b8be2d Author: B Tasker