[tbb-bugs] #14985 [Tor Browser]: NoScript Clickjacking warning when clicking on embedded content

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed May 6 18:52:00 UTC 2015

#14985: NoScript Clickjacking warning when clicking on embedded content
     Reporter:           |      Owner:  tbb-team
  cypherpunks            |     Status:  new
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  tbb-usability, tbb-4.5-regression,
  Browser                |  TorBrowserTeam201505
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |

Comment (by mcs):

 Kathy and I looked at this a little bit.  It seems that prior to the
 #13439 fix, we were preventing NoScript from extracting good image data
 from the canvas elements that it uses to capture images as part of its
 clickjacking protection.  With the #13439 fix in place, image data is
 returned (as it should be) but a clickjacking warning is displayed because
 the wrong portion of the window is being captured.  You can see this if
 you click on the image area of NoScript's clickjacking warning window.

 So why is the wrong portion of the image captured?  Because of the fix for
 #5856.  Specifically, NoScript's ClearClickHandler.js code relies on
 getting accurate values for window.mozInnerScreenX and mozInnerScreenY but
 it receives 0 because the document is content and not chrome.

 The #5856 patch is https://gitweb.torproject.org/tor-browser.git/commit/?h

 I am not sure what the best fix is, but I suspect that without the #13439
 fix, users will not see clickjacking warnings on sites where they should
 see them.  Does anyone know where to find a clickjacking test page?

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14985#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list