http://forums.mozillazine.org/viewtopic ... 5#p9309545therube wrote: A happy camper here
accessibility.blockautorefresh looks to be working in a current <SeaMonkey> Trunk.
...
Hmm. Now maybe we could use a little more fine grained control .
Anyhow, it makes me just that little bit more in control over Bank of America.
forbidBGRefresh blocks images opened in tab
Re: forbidBGRefresh blocks images opened in tab
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a5pre) Gecko/20100527 SeaMonkey/2.1a2pre
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: forbidBGRefresh blocks images opened in tab
Yes, but there are other means to block refresh unconditionally (built-in in Firefox).therube wrote:But then wouldn't that allow the refresh even on pages where you do not want it too?NoScript actually deferred the refresh until the tab gets selected again
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: forbidBGRefresh blocks images opened in tab
I agree. This doesn't seem to mitigate the exploit.therube wrote:But then wouldn't that allow the refresh even on pages where you do not want it too?NoScript actually deferred the refresh until the tab gets selected again
I do want to keep the current behavior where whitelisted or excepted sites continue to be reloaded even while they're in the background. I currently use RefreshBlocker to block that by default and use its whitelist on a few sites.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.4) Gecko/20100527 Firefox/3.6.4
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: forbidBGRefresh blocks images opened in tab
I prefer this approach.Giorgio Maone wrote:I'm actually planning an easier way:therube wrote: But ... thinking that whitelisting may still be a hassle, might not be a desired approach?
- Replacing the built-in Firefox notification with one provided by NoScript like the "Forbid META inside NOSCRIPT" one (so Seamonkey 2.x users get the notification as well)
- Having two buttons in the notification, "Follow" and "Always Follow", the latter of which adds the 2nd level domain to the exceptions pattern.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.4) Gecko/20100527 Firefox/3.6.4
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: forbidBGRefresh blocks images opened in tab
It does mitigate the exploit at hand because the refresh would never happen "while you're not looking at the page", and you couldn't be fooled into clicking the tab believing it's a different site.Alan Baxter wrote:I agree. This doesn't seem to mitigate the exploit.therube wrote:But then wouldn't that allow the refresh even on pages where you do not want it too?NoScript actually deferred the refresh until the tab gets selected again
[EDIT]
Furthermore, while I'm testing this approach, I noticed that since the attacker (at least in Aviv Raff's PoC) goes to great lengths to make the phishing refresh happen only when you're not looking at the page, that "malicious" refresh just never happens. So long for tabnabbing. A generic refresh blocking feature with whitelists and all is a different matter, which may or may not be worth a NoScript feature (since alternatives exist, AFAIK).
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Re: forbidBGRefresh blocks images opened in tab
To me, the issue is confusing enough. Even seeing it happen & realizing what is happening would still be confusing. Much less to those unfamiliar.
So if the purpose is to block a refresh, then do it.
Cause seeing something happen & understanding what you are seeing could be two different things.
So if the purpose is to block a refresh, then do it.
Cause seeing something happen & understanding what you are seeing could be two different things.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a5pre) Gecko/20100527 SeaMonkey/2.1a2pre
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: forbidBGRefresh blocks images opened in tab
See my EDIT above. If there's malicious intent and tries to conceal itself (like in Aviv Raff's case), the refresh just doesn't happen.therube wrote: So if the purpose is to block a refresh, then do it.
On the other hand, if the page refreshes unconditionally in the open (which hardly qualifies as an attack), you need a different countermeasure and even 1.9.9.81 as it is can't help: you need to block every refresh (eve those happening in front of your eyes), and you already have means to do it (in Firefox at least).
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: forbidBGRefresh blocks images opened in tab
OK. I see what you mean now. BTW, some people browse their tabs with Ctrl+PgUp/PgDn and don't go by the tab title or favicon (which may be so small as to be unreadable anyhow). I suppose seeing some unrelated site refresh itself to a gmail page right in front of my eyes would cause a WTF moment for me and I wouldn't trust the result. (Assuming I'm looking at the page while switching to it.)Giorgio Maone wrote:It does mitigate the exploit at hand because the refresh would never happen "while you're not looking at the page", and you couldn't be fooled into clicking the tab believing it's a different site.
I suspect my use of RefreshBlocker may prevent tabnapping from happening on a non-whitelisted site anyhow. Since I have sites blacklisted by default in RefreshBlocker, it's obvious that clicking through a notification bar isn't too disturbing for me. Thank goodness RefreshBlocker supports whitelisting though.[EDIT]
Furthermore, while I'm testing this approach, I noticed that since the attacker (at least in Aviv Raff's PoC) goes to great lengths to make the phishing refresh happen only when you're not looking at the page, that "malicious" refresh just never happens. So long for tabnabbing. A generic refresh blocking feature with whitelists and all is a different matter, which may or may not be worth a NoScript feature (since alternatives exist, AFAIK).
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.4) Gecko/20100527 Firefox/3.6.4
Re: forbidBGRefresh blocks images opened in tab
That could be a big assumption for some (myself included).(Assuming I'm looking at the page while switching to it.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a5pre) Gecko/20100527 SeaMonkey/2.1a2pre
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: forbidBGRefresh blocks images opened in tab
Please check latest development build. It seems quite effective against tabnabbing, while not getting in your way when refreshes are legit (they automatically happen after the tab is kept in focus for one second).
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3