[tor-bugs] #5288 [Tor Browser]: Clickjacking + popups subvert TBB url-bar isolation
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Thu Mar 1 21:03:39 UTC 2012
#5288: Clickjacking + popups subvert TBB url-bar isolation
-------------------------+--------------------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: defect | Status: new
Priority: normal | Milestone: TorBrowserBundle 2.3.x-stable
Component: Tor Browser | Version:
Keywords: | Parent:
Points: | Actualpoints:
-------------------------+--------------------------------------------------
Right now, TBB treats popups as top-level content items (ie they are
allowed to track you independently of their originating window). I think
this is fine, because the Firefox popup blocker prevents popups from
opening without an associated mouse click, and to me, mouse clicks
indicate consent to visit a page and to establish a relationship with that
page.
However, clickjacking probably ruins that model, in that it can cause
popups to launch for tracking content whenever the user clicks *anywhere*
on a page.
We include NoScript, which has some clickjacking protection.. But is it
enough? Is it still functional if you have Javascript fully enabled? We
should spend some time investigating current clickjacking techniques to
see what is still possible these days.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5288>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list