[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #14985 [Tor Browser]: NoScript Clickjacking warning when clicking on embedded content

Subject: Re: [tor-bugs] #14985 [Tor Browser]: NoScript Clickjacking warning when clicking on embedded content
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Wed, 06 May 2015 18:52:00 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 06 May 2015 14:52:09 -0400
In-reply-to: <051.6d40ccf0518564bc72a130931f92d259@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <051.6d40ccf0518564bc72a130931f92d259@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#14985: NoScript Clickjacking warning when clicking on embedded content
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  tbb-team
  cypherpunks            |     Status:  new
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  tbb-usability, tbb-4.5-regression,
  Browser                |  TorBrowserTeam201505
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------

Comment (by mcs):

 Kathy and I looked at this a little bit.  It seems that prior to the
 #13439 fix, we were preventing NoScript from extracting good image data
 from the canvas elements that it uses to capture images as part of its
 clickjacking protection.  With the #13439 fix in place, image data is
 returned (as it should be) but a clickjacking warning is displayed because
 the wrong portion of the window is being captured.  You can see this if
 you click on the image area of NoScript's clickjacking warning window.

 So why is the wrong portion of the image captured?  Because of the fix for
 #5856.  Specifically, NoScript's ClearClickHandler.js code relies on
 getting accurate values for window.mozInnerScreenX and mozInnerScreenY but
 it receives 0 because the document is content and not chrome.

 The #5856 patch is https://gitweb.torproject.org/tor-browser.git/commit/?h
 =tor-browser-31.6.0esr-4.5-1&id=bd3b1ed32a9c21fdc92fc35f2ec0a41badc378d5

 I am not sure what the best fix is, but I suspect that without the #13439
 fix, users will not see clickjacking warnings on sites where they should
 see them.  Does anyone know where to find a clickjacking test page?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14985#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #15775 [Tor]: Add IPv4 Fallback Directory List to add_default_fallback_dir_servers()
Next by Author: [tor-bugs] #15939 [Tor Browser]: Could not connect to Tor control Port (28/4/2015 to present)
Previous by thread: Re: [tor-bugs] #14985 [Tor Browser]: NoScript Clickjacking warning when clicking on embedded content
Next by thread: Re: [tor-bugs] #14985 [Tor Browser]: NoScript Clickjacking warning when clicking on embedded content
Index(es):
- Author
- Thread