[tbb-bugs] #14985 [Tor Browser]: NoScript Clickjacking warning when clicking on embedded content

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed May 6 10:56:41 UTC 2015

#14985: NoScript Clickjacking warning when clicking on embedded content
     Reporter:           |      Owner:  tbb-team
  cypherpunks            |     Status:  new
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  tbb-usability, tbb-4.5-regression,
  Browser                |  TorBrowserTeam201505
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |

Comment (by gk):

 It seems my hypothesis is correct: I built both a Tor Browser with
 +  if (nsContentUtils::IsCallerChrome())
 +    return true;
 omitted and one with the bare minimum of patches on top of ESR 31
 (basically only the canvas related + the ThirdPartyUtil API ones and some
 minor .mozconfig tweaks). In both cases there is no clearclick dialog on
 Lunar's bank's page while the canvas related patches are still working (I
 still got the popup when visiting github.com).

 I might have messed up things with the bare minimum build, though.
 However, given the time-constraints I propose to just remove the
 `IsCallerChrome()` related code snippet as the impact is less grave than
 all these clearclick false positives (basically #13439 is then an issue
 again but there should not be any wranings while rendering .pdf files)
 while bisecting for the real culprit and fixing it for the release after
 the next one.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14985#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list