[RFE] option to disable password filling for i/frames
Posted: Mon Jul 06, 2015 3:02 am
It would be useful if there were an option to disable password filling for frames and iframes. Perhaps this could be part of ABE's Anonymize action, or perhaps it would be entirely separate from ABE.
This would be useful to complement other countermeasures NoScript offers against clickjacking. These include, for example, ClearClick, forbidding i/frames, and ABE's Anonymize action. Each of these has limitations ...
Forbidding frames and iframes is a great method to prevent clickjacking which I have been using to this point, however, the click to activate functionality does not play well with the new "No Captcha" ReCaptcha. There's also of course the smaller issue that it requires the extra step of activating an i/frame before interacting with it.
ClearClick is a nice idea in theory, but the implementation allows too much possibility for bypassing the protection mechanism, since it is limited to detecting UI redressing within a certain number of pixels from the user's click, rather than for the entire i/frame.
ABE's Anonymize action almost eliminates concern for clickjacking under the user's authentication, but since the password manager is able to fill passwords within i/frames, it would be a simple matter for an attacker to clickjack on a login button (with the credentials prefilled), therefore gaining user authentication status and then being able to continue clickjacking with that status.
Therefore, currently, forbidding i/frames is the only method which I consider robust in preventing clickjacking attacks, but this method has always been a little less desirable from a user experience perspective, and now that the "No Captcha" ReCaptchas are starting to be used on more sites, I'm looking at alternative methods. Please consider implementing an option to disable password filling for i/frames; in combination with use of ABE's Anonymize action, this would provide a new robust option for preventing clickjacking.
This would be useful to complement other countermeasures NoScript offers against clickjacking. These include, for example, ClearClick, forbidding i/frames, and ABE's Anonymize action. Each of these has limitations ...
Forbidding frames and iframes is a great method to prevent clickjacking which I have been using to this point, however, the click to activate functionality does not play well with the new "No Captcha" ReCaptcha. There's also of course the smaller issue that it requires the extra step of activating an i/frame before interacting with it.
ClearClick is a nice idea in theory, but the implementation allows too much possibility for bypassing the protection mechanism, since it is limited to detecting UI redressing within a certain number of pixels from the user's click, rather than for the entire i/frame.
ABE's Anonymize action almost eliminates concern for clickjacking under the user's authentication, but since the password manager is able to fill passwords within i/frames, it would be a simple matter for an attacker to clickjack on a login button (with the credentials prefilled), therefore gaining user authentication status and then being able to continue clickjacking with that status.
Therefore, currently, forbidding i/frames is the only method which I consider robust in preventing clickjacking attacks, but this method has always been a little less desirable from a user experience perspective, and now that the "No Captcha" ReCaptchas are starting to be used on more sites, I'm looking at alternative methods. Please consider implementing an option to disable password filling for i/frames; in combination with use of ABE's Anonymize action, this would provide a new robust option for preventing clickjacking.