Only desktop has networking issues with banking website logins

preconiseencaustic · 2025-12-03 18:21:57

I do get a CORS error on page load for the login screen at https://www.discover.com/login/ if I'm using uBlock Origin. It seems mostly related to tracking and advertising junk as you'd expect though.

Without ublock, there's a ton of warnings, and a few errors. Again, this is just loading the login screen, not actually trying to log in:

Two errors:
GET
https://h64.online-metrix.net/<long_path>
Fingerprinting

POST
https://173bf10e.akstat.io/
NS_BINDING_ABORTED

Neither look important to me.

Sending the login attempt gives the following:

XHRPOST
https://portal.discover.com/enterprise/universal-login/v1/login
CORS Missing Allow Origin

XHROPTIONS
https://portal.discover.com/enterprise/universal-login/v1/login
[HTTP/1.1 200 OK 204ms]

XHRPOST
https://smetrics.discover.com/ee/va6/v1/interact?configId=<long_id>
[HTTP/2 200  114ms]

XHRGET
https://unpkg.com/@rive-app/canvas@2.26.1/rive.wasm
[HTTP/3 200  0ms]

XHRGET
data:application/octet-stream;base64,<long_base64_data - no error>

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://portal.discover.com/enterprise/universal-login/v1/login. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 302.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://portal.discover.com/enterprise/universal-login/v1/login. (Reason: CORS request did not succeed). Status code: (null).

default error happened.... index-DiphUGVN.js:160:19005
XHRGET
https://portal.discover.com/psv1/notification.html
NS_ERROR_UNEXPECTED

This is using systemd-resolved so no changes from that as expected.

What can I try next?

seth · 2025-12-03 22:22:34

A different bank?
Legit CORS errors are server bugs

Sending the login attempt gives the following:

Do you get the same when providing some invalid junk login/password or only with your proper credentials (in which case I get a 403 but no CORS error)

 curl -vL  https://portal.discover.com/enterprise/universal-login/v1/login > /dev/null

gets me a 404
Do you currently have issues other than with your bank?
Do you constrain/filter javascript in any way?

Have you btw. tried wiping the browser cache or using the porn mode to make sure there's no cache at play?

preconiseencaustic · 2025-12-03 22:39:44

That's the thing though, it's not a server side error (nor a web page error) as I can use a different Arch computer without issues, including my phone browser.

The behavior is identical no matter what user/password combination is attempted, as again this never reaches their servers.

The only other issues were those noted earlier in the thread, which we seem to have proven is unrelated. I only use uBlock Origin for filtering, and turning it on or off doesn't change the behavior (though as per above uBlock Origin does create more errors for not loading their tracking/spyware/adware).

I've tried resetting browser cache, private browsing, and 3 different browsers in total on this computer. I don't know what other configuration could be causing this problem, but it is seemingly specific to this computer.

seth · 2025-12-03 22:55:49

it is seemingly specific to this computer.

pacman -Qikk ca-certificates ca-certificates-mozilla ca-certificates-utils

And check

date

on whether the system time is correct.

https://flathub.org/en/apps/org.mozilla.firefox
https://wiki.archlinux.org/title/Flatpak
Should™ largely insulate you from the OS.

Also please post the output of

curl -vL  https://portal.discover.com/enterprise/universal-login/v1/login > /dev/null

preconiseencaustic · 2025-12-04 03:12:49

Here's the flatpak full browser console output:

downloadable font: Glyph bbox was incorrect (glyph ids 149 364 400 543 582) (font-family: "DiscoverSans-Medium" style:normal weight:400 stretch:100 src index:1) source: https://www.discover.com/etc.clientlibs/dfs-core/clientlibs/clientlib-core/resources/font/discoversans/woff2/DiscoverSans-Medium.woff2
downloadable font: Glyph bbox was incorrect (glyph ids 74 149 200 364 400 543 554 582) (font-family: "DiscoverSans-Semibold" style:normal weight:400 stretch:100 src index:1) source: https://www.discover.com/etc.clientlibs/dfs-core/clientlibs/clientlib-core/resources/font/discoversans/woff2/DiscoverSans-Semibold.woff2
downloadable font: Glyph bbox was incorrect (glyph ids 74 149 233 364 367 394 400 543 554 582) (font-family: "DiscoverSans-Bold" style:normal weight:400 stretch:100 src index:1) source: https://www.discover.com/etc.clientlibs/dfs-core/clientlibs/clientlib-core/resources/font/discoversans/woff2/DiscoverSans-Bold.woff2
unreachable code after return statement
R1g:1:506126
Use of the orientation sensor is deprecated. R1g:1:183586
Use of the motion sensor is deprecated. R1g:1:183772
InstallTrigger is deprecated and will be removed in the future. R1g:1:188973
downloadable font: Glyph bbox was incorrect (glyph ids 17 18 19 22 24 28 29 31 33 34 35 37 41 50 55 58 61 64 72 79 84 90 91 93 94 95 96 99) (font-family: "dnicons" style:normal weight:400 stretch:100 src index:1) source: https://www.discover.com/etc.clientlibs/dfs-core/clientlibs/clientlib-core/resources/font/dnicons/ttf/dnicons.ttf?uucx8p
discover_toolkit.js with memeberSetup function called clientlib-base.min.ACSHASHe1ed0c675f9793cb6f47eb93b276f376.js:23:365
This page is in Quirks Mode. Page layout may be impacted. For Standards Mode use “<!DOCTYPE html>”.
mpnuq4dv8buwq7b1.js:167:9
Cookie warnings 17
Partitioned cookie or storage access was provided to “<URL>” because it is loaded in the third-party context and dynamic state partitioning is enabled. 8
Ignoring unsupported entryTypes: longtask. datadog-rum.js:1:53591
Partitioned cookie or storage access was provided to “https://cdnssl.clicktale.net/uxa/xdframe-single-domain-1.2.0.html?pid=2052” because it is loaded in the third-party context and dynamic state partitioning is enabled.
xdframe-single-domain-1.2.0.html:1:300
Partitioned cookie or storage access was provided to “https://www.googletagmanager.com/static/service_worker/5ba0/sw_iframe.html?origin=https%3A%2F%2Fwww.discover.com” because it is loaded in the third-party context and dynamic state partitioning is enabled.
sw_iframe.html:15:769
InstallTrigger is deprecated and will be removed in the future. iClcG3VpKUin5dZ5:592:9
This page is in Almost Standards Mode. Page layout may be impacted. For Standards Mode use “<!DOCTYPE html>”.
activityi;src=3470633;type=test_0;cat=globa00;ord=6564172282183;npa=0;auiddc=2022923468.1764816305;u18=/gateway/unk;u19=34853441473799312871740135740481441783;u20=;u21=;u6=;pscdl=noapi;frm=0;_tu=IFA;gtm=45fe5c21v9190712715za200zd9190712715xec;gcd=13l3l3l3l1l1;dma=0;dc_fmt=2;tag_exp=103116026~103200004~104527907~104528501~104684208~104684211~105391253~115583767~115938466~115938469~116184927~116184929~116217636~116217638~116518834;epver=2;dc_random=1764816305_dAxv9gtoU4D5dgnuYQYz3EuTnR2OePBjFA;_dc_test=1;~oref=https://www.discover.com/
The resource at “https://h64.online-metrix.net/dTbJZzRuEi0GL_BV?8507539d61fbbd6c=ivJ9HyoRni-NRGFVYT26xYgHufby7V4XQlr_Oyn1YwvOgNKuAic9_sFBHHUFPOrfNS8K7e4aLW1deCV5x6AM85pwyGZGiSw0PqBGx_-JSaAaYIH0k6hFpQu9-q-ra0sZRhv6Um7w_604hpdOUy1zfjpQs4sUShnmdgB3MuLzTkhZ2fcYjUAyHDdcdh_AVA” was blocked because Enhanced Tracking Protection is enabled.
www.discover.com
Cookie “_sp_root_domain_test_1764816305814” has been rejected for invalid domain. www.discover.com
This page is in Quirks Mode. Page layout may be impacted. For Standards Mode use “<!DOCTYPE html>”.
mYvN-JRNZbfWSu2L
WebGL warning: linkProgram: Must have a compiled fragment shader attached: Missing shader.
WebGL warning: vertexAttribI?Pointer: `index` (4294967295) must be < MAX_VERTEX_ATTRIBS.
WebGL warning: enableVertexAttribArray: -1 is not a valid `index`. This value probably comes from a getAttribLocation() call, where this return value -1 means that the passed name didn't correspond to an active attribute in the specified program.
Layout was forced before the page was fully loaded. If stylesheets are not yet loaded this may cause a flash of unstyled content. mYvN-JRNZbfWSu2L
WEBGL_debug_renderer_info is deprecated in Firefox and will be removed. Please use RENDERER. iClcG3VpKUin5dZ5:1697:18
Cookie “_fbp” has been rejected for invalid domain. www.discover.com
This page is in Quirks Mode. Page layout may be impacted. For Standards Mode use “<!DOCTYPE html>”.
Ild-BxBJIyvGGZFO
WEBGL_debug_renderer_info is deprecated in Firefox and will be removed. Please use RENDERER. R1g:1:20579
This page is in Almost Standards Mode. Page layout may be impacted. For Standards Mode use “<!DOCTYPE html>”.
activityi;src=3470633;type=consu695;cat=gatew0;ord=1266295479649;npa=0;auiddc=2022923468.1764816305;pscdl=noapi;frm=0;_tu=IFA;gtm=45fe5c21v9190712715za200zd9190712715xec;gcd=13l3l3l3l1l1;dma=0;dc_fmt=2;tag_exp=103116026~103200004~104527907~104528501~104684208~104684211~105391253~115583767~115938466~115938469~116184927~116184929~116217636~116217638~116518834;epver=2;dc_random=1764816306_xK5x63KDPUhRlI1QDWq26pXYsSeeAwYzow;_dc_test=1;~oref=https://www.discover.com/
Cookie “_tt_enable_cookie” has been rejected for invalid domain. www.discover.com
[TikTok Pixel] - Missing 'content_id' paramter
Issue: The 'content_id' parameter isn't being received. This is required for Video Shopping Ads (VSA).
Suggestion: Include the 'content_id' parameter in your source code. This is required for Video Shopping Ads (VSA). See https://ads.tiktok.com/help/article/standard-events-parameters?redirected=2 for more information. main.MTRhZTU1OWY5MA.js:1:288005
WEBGL_debug_renderer_info is deprecated in Firefox and will be removed. Please use RENDERER. R1g:1:468118
WEBGL_debug_renderer_info is deprecated in Firefox and will be removed. Please use RENDERER. R1g:1:468616
Cookie “A3” will soon be rejected because it is foreign and does not have the “Partitioned“ attribute. spp.pl
Partitioned cookie or storage access was provided to “https://sp.analytics.yahoo.com/spp.pl?a=10000&.yp=10017277&ec=Homepage” because it is loaded in the third-party context and dynamic state partitioning is enabled.

WEBGL_debug_renderer_info is deprecated in Firefox and will be removed. Please use RENDERER. 8c1e7bd4-b013-421b-8574-ee482b2ff7a7:1:8331
WEBGL_debug_renderer_info is deprecated in Firefox and will be removed. Please use RENDERER. 8c1e7bd4-b013-421b-8574-ee482b2ff7a7:1:8531
Cookie warnings 6
This page is in Quirks Mode. Page layout may be impacted. For Standards Mode use “<!DOCTYPE html>”.
cei
Cookie warnings 10
Partitioned cookie or storage access was provided to “<URL>” because it is loaded in the third-party context and dynamic state partitioning is enabled. 2
Partitioned cookie or storage access was provided to “<URL>” because it is loaded in the third-party context and dynamic state partitioning is enabled. 3
Partitioned cookie or storage access was provided to “<URL>” because it is loaded in the third-party context and dynamic state partitioning is enabled. 3
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://portal.discover.com/enterprise/universal-login/v1/login. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 302.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://portal.discover.com/enterprise/universal-login/v1/login. (Reason: CORS request did not succeed). Status code: (null).

Zero browser plugins installed, zero changes to the browser made other than turning off the basic telemetry in FireFox (just simple settings menu, nothing fancy at all). 1.1.1.1 for DNS, nothing fancy going on at all. Same problem unfortunately. I thought that you might be on to something there.

$ curl -vL  https://portal.discover.com/enterprise/universal-login/v1/login > /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0   0     0   0     0     0     0  --:--:-- --:--:-- --:--:--     0* Host portal.discover.com:443 was resolved.
* IPv6: (none)
* IPv4: 23.32.118.118
*   Trying 23.32.118.118:443...
* ALPN: curl offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [1563 bytes data]
* SSL Trust Anchors:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
{ [1 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [35 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [3956 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
*   subject: jurisdictionC=US; jurisdictionST=Delaware; businessCategory=Private Organization; serialNumber=2506695; C=US; ST=Illinois; L=Riverwoods; O=DFS Services LLC; CN=www.discovercard.com
*   start date: Mar 20 00:00:00 2025 GMT
*   expire date: Apr 20 23:59:59 2026 GMT
*   issuer: C=US; O=DigiCert Inc; CN=DigiCert EV RSA CA G2
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   subjectAltName: "portal.discover.com" matches cert's "portal.discover.com"
* SSL certificate verified via OpenSSL.
* Established connection to portal.discover.com (23.32.118.118 port 443) from <local_ip> port 38194 
* using HTTP/1.x
} [5 bytes data]
> GET /enterprise/universal-login/v1/login HTTP/1.1
> Host: portal.discover.com
> User-Agent: curl/8.17.0
> Accept: */*
> 
* Request completely sent off
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [281 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [281 bytes data]
< HTTP/1.1 404 Not Found
< strict-transport-security: max-age=63072000; includeSubDomains; preload
< x-dfsresponse: p-obd:plf:edge:<string>
< Content-Length: 0
< Date: Thu, 04 Dec 2025
< Connection: keep-alive
< Set-Cookie: Persist1=<cookie> path=/; Httponly; Secure; samesite=lax
< Set-Cookie: TS01ba2681=<cookie>; Path=/; HttpOnly; Secure; samesite=lax
< Set-Cookie: DCID=www16-aercer; path=/; secure
< Server-Timing: cdn-cache; desc=MISS
< Server-Timing: edge; dur=40
< Server-Timing: origin; dur=25
< Akamai-GRN: 0.a7551702.1764817148.22b623ce
< Set-Cookie: <cookie>; Domain=.discover.com; Path=/; Expires=<date>; Max-Age=<int>; SameSite=None; Secure
< Set-Cookie: <cookie> Domain=.discover.com; Path=/; Expires=<date>; Max-Age=<int>; SameSite=None; Secure
< Server-Timing: ak_p; desc="<timestamp>";dur=1
< 
  0     0   0     0   0     0     0     0  --:--:-- --:--:-- --:--:--     0
* Connection #0 to host portal.discover.com:443 left intact

Date is correct.

I tried connecting my desktop to a mobile hotspot just to see what a different network does - same exact behavior.

Maybe I should revisit the user agents? I was using this browser extension to test: https://webextension.org/listing/userag … tcher.html I tried this one in Chromium and Firefox. Maybe a different approach would be better? Any recommendations?

$ pacman -Qikk ca-certificates ca-certificates-mozilla ca-certificates-utils
Name            : ca-certificates
Version         : 20240618-1
Description     : Common CA certificates - default providers
Architecture    : any
URL             : https://src.fedoraproject.org/rpms/ca-certificates
Licenses        : GPL-2.0-or-later
Groups          : None
Provides        : None
Depends On      : ca-certificates-mozilla
Optional Deps   : None
Required By     : amap  curl  mono  neon  perl-lwp-protocol-https  perl-mozilla-ca  python-certifi  python-httplib2  python-requests  python2-httplib2  qca-qt5  qca-qt6  qt4  veil
Optional For    : lib32-openssl  openssl  openssl-1.0  wget
Conflicts With  : ca-certificates-cacert<=20140824-4
Replaces        : ca-certificates-cacert<=20140824-4
Installed Size  : 0.00 B
Packager        : Jan Alexander Steffens (heftig) <heftig@archlinux.org>
Build Date      : Jun 2024
Install Date    : Jun 2024
Install Reason  : Installed as a dependency for another package
Install Script  : No
Validated By    : Signature

ca-certificates: 0 total files, 0 altered files
Name            : ca-certificates-mozilla
Version         : 3.118.1-1
Description     : Mozilla's set of trusted CA certificates
Architecture    : x86_64
URL             : https://firefox-source-docs.mozilla.org/security/nss/index.html
Licenses        : MPL-2.0
Groups          : None
Provides        : None
Depends On      : ca-certificates-utils>=20181109-3
Optional Deps   : None
Required By     : ca-certificates
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 1088.24 KiB
Packager        : Jan Alexander Steffens (heftig) <heftig@archlinux.org>
Build Date      : Nov 2025
Install Date    : Dec 2025
Install Reason  : Installed as a dependency for another package
Install Script  : No
Validated By    : Signature

ca-certificates-mozilla: 5 total files, 0 altered files
Name            : ca-certificates-utils
Version         : 20240618-1
Description     : Common CA certificates (utilities)
Architecture    : any
URL             : https://src.fedoraproject.org/rpms/ca-certificates
Licenses        : GPL-2.0-or-later
Groups          : None
Provides        : ca-certificates  ca-certificates-java
Depends On      : bash  coreutils  findutils  p11-kit
Optional Deps   : None
Required By     : amap  ca-certificates-mozilla  curl  jdk11-openjdk  jre-openjdk  jre7-openjdk-headless  jre8-openjdk-headless  mono  neon  perl-lwp-protocol-https  perl-mozilla-ca  python-certifi  python-httplib2  python-requests  python2-httplib2  qca-qt5  qca-qt6  qt4  veil
Optional For    : lib32-openssl  openssl  openssl-1.0  wget
Conflicts With  : ca-certificates-java
Replaces        : ca-certificates-java
Installed Size  : 13.63 KiB
Packager        : Jan Alexander Steffens (heftig) <heftig@archlinux.org>
Build Date      : Jun 2024
Install Date    : Jun 2024
Install Reason  : Installed as a dependency for another package
Install Script  : Yes
Validated By    : Signature

ca-certificates-utils: 33 total files, 0 altered files

Edit: So I just tested on the working Arch desktops and they have the same CORS errors despite working fine. Maybe the CORS is a red herring?

Last edited by preconiseencaustic (2025-12-04 03:24:15)

seth · 2025-12-04 08:34:49

Maybe the CORS is a red herring?

banks do not see login attempt hit their servers

What is the source of the second quote (did the bank tell you that?) and what are the actual symptoms on your side?
Has this been re-confirmed after dealing w/ the DNS situation?
Can you wireshark/tcpdump the traffic behind your computer?
Are you running some sort of firewall anywhere in the system?
Have you tried a fresh user on this or the other systems to see whether there's any cached data involved (maybe on the working systems)?

preconiseencaustic · 2025-12-04 16:58:55

Yes, in the past the bank has confirmed that they don't see any login attempts. I'm pretty confident that this is still true, otherwise my account would get locked out after so many failed login attempts. I'm pretty sure I'd get an email if I was locked out, and I'm 100% sure I wouldn't be able to successfully login on the other devices.

I can use wireshark/tcpdump, but I don't have enough experience with them to know what specifically I should do and look for. I'm more familiar with Wireshark, but would still need some guidance on what specifically to do. I've got it setup and functional.

No firewalls present.

I can try to make a new account on this system and see what happens.

Last edited by preconiseencaustic (2025-12-04 16:59:37)

seth · 2025-12-04 20:17:52

I can use wireshark/tcpdump, but I don't have enough experience with them to know what specifically I should do and look for.

You'll have to run that *behind* the local system (eg. on a router) and see whether the traffic gets there.
You can still run it on the local host and make sure the traffic gets to the NIC.

I'd first try fresh users on this and one of the working systems as cross-test.
Do you get all the cookie warnings on the latter as well?

preconiseencaustic · Today 20:31:57

I've finally found a chance to test this again. Creating a new user and logging in works in both system repo Firefox and FlatPak Firefox in the new user's login, but not in my actual user's login. Flatpak *also* seems to work on my actual user's login as well at the moment (I've made literally zero changes since then, haven't even updated system or Flatpak). I don't see the cookie warnings at all anymore.

A private window in my actual user's system Firefox still fails, however Chromium based browsers now work at the moment. Looks like it's, at least presently, isolated to exclusively my system Firefox on this user. I'm not sure why a private window in this system Firefox doesn't work, but then again this entire issue is consistently inconsistent so I have no idea what to think about any of this.

Arch Linux

#26 2025-12-03 18:21:57

Re: Only desktop has networking issues with banking website logins

#27 2025-12-03 22:22:34

Re: Only desktop has networking issues with banking website logins

#28 2025-12-03 22:39:44

Re: Only desktop has networking issues with banking website logins

#29 2025-12-03 22:55:49

Re: Only desktop has networking issues with banking website logins

#30 2025-12-04 03:12:49

Re: Only desktop has networking issues with banking website logins

#31 2025-12-04 08:34:49

Re: Only desktop has networking issues with banking website logins

#32 2025-12-04 16:58:55

Re: Only desktop has networking issues with banking website logins

#33 2025-12-04 20:17:52

Re: Only desktop has networking issues with banking website logins

#34 Today 20:31:57

Re: Only desktop has networking issues with banking website logins

Board footer