We know that clickjacking is going to be a threat that will be with us for a couple of years, re:
http://jeremiahgrossman.blogspot.com/20 ... -2017.html
Now I stumbled upon the following info in some google cache of a page, as the info was no longer there online:
re: http://74.125.77.132/search?q=cache:Ia6 ... =firefox-a
As I do not know how long the cache info will remain there, hence I give you this info as I quote:
What if the author is right in what he claims here (that NoScript does not protect against these specific forms of clickjacking), and is this a realistic threat now or in the future?Embed content via an OBJECT.
Normally, CODEBASE and CLASSID are used to fetch data for an OBJECT, similarly for APPLETS. However, the DATA attribute makes it possible to render an OBJECT as an embedded IFRAME as we can see in the example below. In figure 1 we see a regular IFRAME that is successfully blocked by NoScript. Figure 2 shows an OBJECT that is rendered as an IFRAME, successfully bypassing the IFRAME protection.
[[0x000000.com]]
The code below allows for remote embedding as seen in figure 2.
<object data="http://www.google.com" width="200" height="200"></object>
This will successfully fetch the document residing on a remote server, and start to act as an IFRAME. The latest version of NoScript allows it's users to block iframes in order to protect themselves from "Clickjacking". Whether or not Clickjacking works with Iframes, I do not know since the details are not released by Hansen, Grossman et al[2]. Certainly NoScript's current protection will fail if an OBJECT is used to replace an IFRAME, making it vulnerable for bypassing it's protection a priori.
Moreover, it is important to know that one does not need Javascript to hijack "clicks" or other mouse-events. I discussed hijacking events on a LABEL element to pass the event through to a submit button, exactly one month ago[3] This way, one is able to hijack user events to perform a CSRF for example, or hijack forms/iframes with it[4], and is nearly impossible to prevent because it does not rely on Javascript at all.
[1] hxtp://www.w3.org/TR/REC-html40/struct/objects.html
[2] hxtp://ha.ckers.org/blog/20080915/clickjacking/
[3] hxtp://www.0x000000.com/index.php?i=312
[4] hxtp://trickeries.com/216/an-interesting-csrf-attack/
Waiting for your comments
luntrus