[tbb-bugs] #14985 [Tor Browser]: NoScript Clickjacking warning when clicking on embedded content
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed May 6 18:52:00 UTC 2015
#14985: NoScript Clickjacking warning when clicking on embedded content
-------------------------+-------------------------------------------------
Reporter: | Owner: tbb-team
cypherpunks | Status: new
Type: defect | Milestone:
Priority: major | Version:
Component: Tor | Keywords: tbb-usability, tbb-4.5-regression,
Browser | TorBrowserTeam201505
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by mcs):
Kathy and I looked at this a little bit. It seems that prior to the
#13439 fix, we were preventing NoScript from extracting good image data
from the canvas elements that it uses to capture images as part of its
clickjacking protection. With the #13439 fix in place, image data is
returned (as it should be) but a clickjacking warning is displayed because
the wrong portion of the window is being captured. You can see this if
you click on the image area of NoScript's clickjacking warning window.
So why is the wrong portion of the image captured? Because of the fix for
#5856. Specifically, NoScript's ClearClickHandler.js code relies on
getting accurate values for window.mozInnerScreenX and mozInnerScreenY but
it receives 0 because the document is content and not chrome.
The #5856 patch is https://gitweb.torproject.org/tor-browser.git/commit/?h
=tor-browser-31.6.0esr-4.5-1&id=bd3b1ed32a9c21fdc92fc35f2ec0a41badc378d5
I am not sure what the best fix is, but I suspect that without the #13439
fix, users will not see clickjacking warnings on sites where they should
see them. Does anyone know where to find a clickjacking test page?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14985#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list