Page 1 of 1

false clickjacking warning

Posted: Thu Apr 02, 2009 12:02 pm
by robinx
Hi,
fist my system Kubuntu Jaunty, Firefox 3.1b3, Noscript 1.9.1.6
I have a strange problem on this site http://www.golem.de/0903/66039.html
When the embedded youtube video has the focus and I tune the volume (Volume UP / DOWN keystrocks) of my notebook I get a clickjack warning

They embedd videos with that code

Code: Select all

<table border="0" align="center" cellpadding="0" 
cellspacing="0"><tr>
<td>
<script type="text/javascript" src="http://video.golem.de/jwplayer/swfobject.js"></script>
<div id="golyt_IU_reTt7Hj4">&nbsp;</div>
<script type="text/javascript">
<!--
var ytp = new SWFObject("http://www.youtube.com/v/IU_reTt7Hj4","golyt_IU_reTt7Hj4_video","480","295","7","#000000");
ytp.addParam("wmode", "transparent");
ytp.addParam("quality","high");
ytp.addParam("scale","noScale");
ytp.write("golyt_IU_reTt7Hj4");
//-->
</script>
</td>
</tr><tr>
<td
class="xsmall" align="center"><div style="padding:6px;">
Video: What's in the Box - Test Film 2009
</div></td>
</tr></table>


The problems seems to be that line

Code: Select all

ytp.addParam("wmode", "transparent");

When I make a local copy of this site and delete that line I don't get a click jack warning.

also when starting firefox from the command line it prints

Code: Select all

[NoScript] [NoScript ClearClick] Swallowed event keyup on EMBED/-1 at http://www.golem.de/0903/66039.html

robinx

Re: false clickjacking warning

Posted: Thu Apr 02, 2009 12:15 pm
by Giorgio Maone
NoScript Version?
Could you use the "Report" button and tell me the assigned Report Id?

Re: false clickjacking warning

Posted: Thu Apr 02, 2009 12:24 pm
by Guest
Hi,
I already used a report but didn't noted the report ID

so I did it again

Noscript 1.9.1.6
Report ID 30637

robinx

Re: false clickjacking warning

Posted: Thu Apr 02, 2009 12:32 pm
by nagan
Pardon my ignorance.What is the report button ,id and how are they generated?

Re: false clickjacking warning

Posted: Thu Apr 02, 2009 12:55 pm
by therube
The current UI has a "report" button on the dialog when clickjacking is detected.

Image

Re: false clickjacking warning

Posted: Thu Apr 02, 2009 11:46 pm
by GµårÐïåñ
nagan wrote:Pardon my ignorance.What is the report button ,id and how are they generated?


Just to add, the ClickJacking warning pops up only when it detects an even and on the interface there is a "Report" button which when pressed will send the information and give you a report id number. Since you are on windows the message UI you would see is different than the one therube posted but pretty much the same concept and straightforward as to what to do with it when you get it.

Here is a windows example (please disregard the color, I use a dark theme, but it shows the current UI and the buttons and everything):

Image
generated on blogger clicking the toolbar to login