[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #14985 [Tor Browser]: NoScript Clickjacking warning when clicking on embedded content
#14985: NoScript Clickjacking warning when clicking on embedded content
-------------------------+-------------------------------------------------
Reporter: | Owner: tbb-team
cypherpunks | Status: new
Type: defect | Milestone:
Priority: major | Version:
Component: Tor | Keywords: tbb-usability, tbb-4.5-regression,
Browser | TorBrowserTeam201505
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by mcs):
Kathy and I looked at this a little bit. It seems that prior to the
#13439 fix, we were preventing NoScript from extracting good image data
from the canvas elements that it uses to capture images as part of its
clickjacking protection. With the #13439 fix in place, image data is
returned (as it should be) but a clickjacking warning is displayed because
the wrong portion of the window is being captured. You can see this if
you click on the image area of NoScript's clickjacking warning window.
So why is the wrong portion of the image captured? Because of the fix for
#5856. Specifically, NoScript's ClearClickHandler.js code relies on
getting accurate values for window.mozInnerScreenX and mozInnerScreenY but
it receives 0 because the document is content and not chrome.
The #5856 patch is https://gitweb.torproject.org/tor-browser.git/commit/?h
=tor-browser-31.6.0esr-4.5-1&id=bd3b1ed32a9c21fdc92fc35f2ec0a41badc378d5
I am not sure what the best fix is, but I suspect that without the #13439
fix, users will not see clickjacking warnings on sites where they should
see them. Does anyone know where to find a clickjacking test page?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14985#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs