[tor-bugs] #5288 [Tor Browser]: Clickjacking + popups subvert TBB url-bar isolation

["Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>]

#5288: Clickjacking + popups subvert TBB url-bar isolation
-------------------------+--------------------------------------------------
 Reporter:  mikeperry    |          Owner:  mikeperry                    
     Type:  defect       |         Status:  new                          
 Priority:  normal       |      Milestone:  TorBrowserBundle 2.3.x-stable
Component:  Tor Browser  |        Version:                               
 Keywords:               |         Parent:                               
   Points:               |   Actualpoints:                               
-------------------------+--------------------------------------------------
 Right now, TBB treats popups as top-level content items (ie they are
 allowed to track you independently of their originating window). I think
 this is fine, because the Firefox popup blocker prevents popups from
 opening without an associated mouse click, and to me, mouse clicks
 indicate consent to visit a page and to establish a relationship with that
 page.

 However, clickjacking probably ruins that model, in that it can cause
 popups to launch for tracking content whenever the user clicks *anywhere*
 on a page.

 We include NoScript, which has some clickjacking protection.. But is it
 enough? Is it still functional if you have Javascript fully enabled? We
 should spend some time investigating current clickjacking techniques to
 see what is still possible these days.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5288>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs