[tbb-bugs] #14985 [Tor Browser]: NoScript Clickjacking warning when clicking on embedded content

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue May 5 20:12:33 UTC 2015

#14985: NoScript Clickjacking warning when clicking on embedded content
     Reporter:           |      Owner:  tbb-team
  cypherpunks            |     Status:  new
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  tbb-usability, tbb-4.5-regression,
  Browser                |  TorBrowserTeam201505
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |

Comment (by gk):

 So this seems to be a bit tricky. The clearclick dialog shows up due to
 `this.checkObstructed(o, ctx)` in ClearClickHandler.js returning `false`
 now. However, it is not clear why this happens with the patch in #13439
 and not without it. I am still looking for the exact reason. One thing
 that puzzles me is that I get output like
 getfirstPartyURI failed for about:blank: 0x80070057
 without the patch in the code path that is crucial for the issue at hand
 but not with it. Looking at the patch I guess this is because
 `IsCallerChrome()` lets us take a shortcut now. I wonder whether
 ClearClick worked at all in the 4.0.x series as I suspect the fix for
 #13439 just made a different issue visible. Does anybody have an example
 of a clickjacking detection by NoScript in a vanilla Firefox we could test
 in 4.0.x?

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14985#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list