I went looking for information about tabnabbing and found a site that implements the attack.. It's an example site not a malware site.
I personally would like to see it disabled by default but you've done well in delaying it till the tab is clicked. Is it possible to maybe shade the tab red when they pull that crap?
I've set it to 3 to disable it. OK, this failed to work in that it flips trusted or untrusted when unfocused.
Thanks
Tabnagging fail?
Tabnagging fail?
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.4) Gecko/20100622 Fedora/3.6.4-1.fc13 Firefox/3.6.4
-
Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Tabnagging fail?
If the site uses JavaScript to morph itself when unfocused, the only defense you've got is keeping JavaScript disabled on it.mrmeval wrote:I've set it to 3 to disable it. OK, this failed to work in that it flips trusted or untrusted when unfocused.
The "forbidBGRefresh" feature is meant to block the scriptless attack: that's why its default is "1" rather than "3", because blocking background refreshes on trusted sites is pointless since JavaScript has almost infinite ways to pull this attack without refreshing.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Re: Tabnagging fail?
Drat! Thanks.
Giorgio Maone wrote:If the site uses JavaScript to morph itself when unfocused, the only defense you've got is keeping JavaScript disabled on it.mrmeval wrote:I've set it to 3 to disable it. OK, this failed to work in that it flips trusted or untrusted when unfocused.
The "forbidBGRefresh" feature is meant to block the scriptless attack: that's why its default is "1" rather than "3", because blocking background refreshes on trusted sites is pointless since JavaScript has almost infinite ways to pull this attack without refreshing.
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.4) Gecko/20100622 Fedora/3.6.4-1.fc13 Firefox/3.6.4