[BUMP] ClearClick Report #434196

[Tom T.]

http://www.merryandpippin.com/

Must allow numerous scripts and objects before getting past a blank page. After finally allowing enough, the page appears. (Site tracking element left blocked; reads, "You are visitor number free web tracker to this site!).

Attempted to click link to "Send an email to Merry & Pippin". Received ClearClick Clickjacking/UI Redressing Attempt Warning.

The browser status bar shows the link leading to http://myweb.westnet.com.au/rkll/emailscript.htm. (Whatever happened to just clicking a mailto: link or a Captcha?)

The address shown in the Warning is http://myweb.westnet.com.au/rkll/

What was unusual is that clicking the image in the Warning did *not* toggle the layers. Nothing happened at all, despite repeated attempts to click the image, including closing the warning and clicking the email link to bring up the warning several more times. Still no toggle.

Thanks for any info. Incidentally, I'm familiar with the site owners, and I'm sure they're trustworthy; I believe their host has gone overboard, or perhaps they have, innocently.

[therube]

The whole merryandpippin "site" is nothing more then a frame.

Code: Select all

<html><head></head><body style="padding: 0px; margin: 0px"><iframe src="http://myweb.westnet.com.au/rkll" width="100%" height="100%"></iframe></body></html>

If I center-click that frame, this page opens, http://myweb.westnet.com.au/rkll/, & displays without allowing anything (except for the Java items which display a placeholder & are ineffectual <no Java> on my computer).

For me, then clicking "Send an email..." loads another page where I have to Allow westnet.com.au before it "generates" the mailto: "link".

---

Starting over, & simply left-clicking the frame, again the page loaded without allowing anything. In this instance, there were Java items placeholders, & then - kind of after the fact I did generate a ClearClick warning (434893). Thinking it has to do with the blinking "The latest parodies - click to read" item, & also where in particular the page (that particular line) is positioned. As I can generate (kind of consistently a ClearClick warning without even clicking anything - simply by Alt+Tabbing away & back to the page).

[therube]

Thinking it has to do with the blinking "The latest parodies - click to read" item

Code: Select all

<span style="background-color: #FFFFFF">The latest 
      parodies - click to read</span></font></b></i></blink>

Or not. Even after stopping the animated gif's & removing the "The lates parodies..." item, I can still generate the ClearClick, so maybe it just has something to do with the frame itself & the differing "domains"?

[Giorgio Maone]

Looks like a Gecko 1.8.1.x specific bug, probably in the early Mozilla Canvas implementation.
Doesn't seem reproducible on Firefox 3.5, but it is on Fx 2.x & SM 1.1.x
Investigating...

[Tom T.]

@ therube: Very interesting, thanks. But I expect most visitors would do what I did, and just TA in NS until they got there.

What kind of a web site is that, that's nothing more than a frame in the host? Is this the standard nowadays? (sheesh).

@Giorgio: Thanks. Will do a quick test with F3.5.3 Portable and see if reproducible. Results shortly.

[Tom T.]

Confirming that with F3.5.3 Portable, no Clear Click warning. But you sure do have to go through a lot of junk to get there!

Anyway, I obtained the email address, which is what I wanted, and it does seem to be confined to older Gecko as Giorgio said.

Thanks for any info on the 1.8.x Gecko bug.

[Tom T.]

Looks like a Gecko 1.8.1.x specific bug, probably in the early Mozilla Canvas implementation.
Doesn't seem reproducible on Firefox 3.5, but it is on Fx 2.x & SM 1.1.x
Investigating...

@Giorgio: Any information on this issue yet? Still getting the warning. TIA