[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #14985 [Tor Browser]: NoScript Clickjacking warning when clicking on embedded content
#14985: NoScript Clickjacking warning when clicking on embedded content
-------------------------+-------------------------------------------------
Reporter: | Owner: tbb-team
cypherpunks | Status: new
Type: defect | Milestone:
Priority: major | Version:
Component: Tor | Keywords: tbb-usability, tbb-4.5-regression,
Browser | TorBrowserTeam201505
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by gk):
So this seems to be a bit tricky. The clearclick dialog shows up due to
`this.checkObstructed(o, ctx)` in ClearClickHandler.js returning `false`
now. However, it is not clear why this happens with the patch in #13439
and not without it. I am still looking for the exact reason. One thing
that puzzles me is that I get output like
{{{
getfirstPartyURI failed for about:blank: 0x80070057
}}}
without the patch in the code path that is crucial for the issue at hand
but not with it. Looking at the patch I guess this is because
`IsCallerChrome()` lets us take a shortcut now. I wonder whether
ClearClick worked at all in the 4.0.x series as I suspect the fix for
#13439 just made a different issue visible. Does anybody have an example
of a clickjacking detection by NoScript in a vanilla Firefox we could test
in 4.0.x?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14985#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs