[RFE] option to disable password filling for i/frames

Bug reports and enhancement requests
Post Reply
RobertDrew
Junior Member
Posts: 32
Joined: Sun Jun 14, 2015 6:51 pm

[RFE] option to disable password filling for i/frames

Post by RobertDrew » Mon Jul 06, 2015 3:02 am

It would be useful if there were an option to disable password filling for frames and iframes. Perhaps this could be part of ABE's Anonymize action, or perhaps it would be entirely separate from ABE.

This would be useful to complement other countermeasures NoScript offers against clickjacking. These include, for example, ClearClick, forbidding i/frames, and ABE's Anonymize action. Each of these has limitations ...

Forbidding frames and iframes is a great method to prevent clickjacking which I have been using to this point, however, the click to activate functionality does not play well with the new "No Captcha" ReCaptcha. There's also of course the smaller issue that it requires the extra step of activating an i/frame before interacting with it.

ClearClick is a nice idea in theory, but the implementation allows too much possibility for bypassing the protection mechanism, since it is limited to detecting UI redressing within a certain number of pixels from the user's click, rather than for the entire i/frame.

ABE's Anonymize action almost eliminates concern for clickjacking under the user's authentication, but since the password manager is able to fill passwords within i/frames, it would be a simple matter for an attacker to clickjack on a login button (with the credentials prefilled), therefore gaining user authentication status and then being able to continue clickjacking with that status.

Therefore, currently, forbidding i/frames is the only method which I consider robust in preventing clickjacking attacks, but this method has always been a little less desirable from a user experience perspective, and now that the "No Captcha" ReCaptchas are starting to be used on more sites, I'm looking at alternative methods. Please consider implementing an option to disable password filling for i/frames; in combination with use of ABE's Anonymize action, this would provide a new robust option for preventing clickjacking.
Last edited by RobertDrew on Mon Jul 06, 2015 3:49 am, edited 1 time in total.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: [RFE] option to disable password filling for i/frames

Post by Thrawn » Mon Jul 06, 2015 3:10 am

This is not a bad idea, but I put it to you that it is a bad idea to have your credentials automatically filled in by the browser.

By all means, use a password manager; that's the only practical way to use many unique strong passwords. But don't autofill. If you really want to use the built-in password manager, you can improve it with eg the Secure Login extension, which lets you use a keyboard shortcut to populate your password. Other password managers may be worth investigating, too.

Also, although it is theoretically possible for NoScript to do this, it is a core browser feature that you would not normally expect NoScript to touch.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0

Post Reply