Hi there,
Just read on the Register about an attack which targets people who open a lot of tabs - essentially,
an attacking website page presents content as expected until a script detects that it's been unfocused for a
while, whereupon it re-writes its content and url icon to resemble a likely online service like gmail or
facebook (possibly based on guess from browser history or what have you).
A person with multiple tabs, the attacker hopes, won't notice the tab content change and will
assume it's genuine when they next look at that tab. It's expected that the fake content will
capture login details and then pass through to the genuine service, leaving the user none the
wiser.
My suggestion for NoScript is simple enough - have an option to revoke _temporary_ permissions on
de-focus - ideally without the usual page refresh associated with turning scripts on/off.
Permanent permissions could be regarded as trusted, or maybe make this behaviour
separately switchable for temporary and permanent permissions, with the default being
to suspend temp. permissions on defocus.
Apologies if this has already been done or considered - I did try looking through the
recent release notes and searching the forums, but only fairly quickly.
Regards,
Carl Williams
Feature request/suggestion to combat "tabjacking"
Feature request/suggestion to combat "tabjacking"
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Re: Feature request/suggestion to combat "tabjacking"
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100317 SeaMonkey/2.0.4