[RESOLVED] Warning Clickjacking NoScript 2.1.9 & Firefox 8

[Sommerrain]

Hi,

first of all, sorry for my bad english, but i'm german

i have one question about clickjacking and the message i get from noscript at this case.

on this page here http://www.sempervideo.de/clickjacking-pt3
a video for this demonstration that i must get a message about clickjacking you can see at youtube: http://www.youtube.com/watch?v=MrAP02Roy0Y (it's in german, but you can see what i mean)
i get no warning about clickjacking from noscript. i use the default preferences by noscript and firefox.
i write the version numbers in the subject line.

the question is why i can't get a warning about clickjacking by this site?

thanks for your help

[Tom T.]

I don't know which is more rusty: my German or my speakers. But "buttenclicken" was easy.

Please, no apologies. Your English is very good. (better than some Americans, but that's another sad story)

I'm on Firefox 3.6.24 at this time, but I should receive the same clickjack warning, and don't receive it.
I see the point -- clicking on the video of the chicken and the cat opens a different video at YouTube, which NoScript should detect and block, as in the SemperVideo demonstration. I can see the layer placed over the video, as I think support for transparency increased in later versions of Firefox. (Why???)

I'll try this on Firefox 8 and see if I can find something helpful.

One question:

i use the default preferences by noscript and firefox.

Thank you, but at the specific site in question, what do you allow in the NoScript menu -- what scripts and objects -- and what do you see as being blocked?

Also, do you use the RequestPolicy add-on? What other add-ons (extensions, "Erweiterungsmodul"?)
Danke.

[Tom T.]

@ Sommerrain: I can't get the message in Firefox 8.0, either. I'll escalate this to Giorgio.

@ Giorgio: When I allow enough scripts to make the Clickjack demo work (naturally, it doesn't work without allowing things in NS and RequestPolicy), various errors appear, which are not constant from one try to the next, nor are they constant between F3 and F8.

Also, in Fx 3.6.24, the "evil" demo destination was opened in a new tab at YouTube.
In Fx 8.0, I could hear the demo video playing, but no new tab opened, and there was no video. Any idea why? (RP and NS TA'd the requests and objects @ YT.)

Might be different configurations, though I try to keep them the same across all browser versions. Still on 2.1.9rc4 = 2.1.9

Here are some of the messages:

Info: aus3.mozilla.org : server does not support RFC 5746, see CVE-2009-3555 (I think that was F3.6.24)

Error: gBrowser.addProgressListener was called with a second argument, which is not supported. See bug 608628.
Source File: chrome://browser/content/tabbrowser.xml
Line: 1866

Error: st_go is not defined
Source File: http://www.sempervideo.de/?p=7766
Line: 517

Error: st_go is not defined
Source File: http://www.sempervideo.de/?p=8072
Line: 517

Error: st_go is not defined
Source File: http://www.sempervideo.de/?p=8085
Line: 519

Error: st_go is not defined
Source File: http://www.sempervideo.de/?p=8085
Line: 519

Error: uncaught exception: Error: Permission denied for <http://api.flattr.com> to get property Proxy.InstallTrigger

Error: uncaught exception: Error: Permission denied for <http://platform.twitter.com> to get property Proxy.InstallTrigger

[Giorgio Maone]

This is a bug triggered by a very unlikely (and unintentional, in this case) combination of frames and windowed plugins.
Fixed in NoScript 2.2, thanks.

[therube]

NoScript 2.2 direct is there.
But the #dev (aka 2.2rc1) comes up 404.

[Tom T.]

NoScript 2.2 direct is there.
But the #dev (aka 2.2rc1) comes up 404.

I believe that's because, according to the changelogs, v2.2rc1 has become stable release v2.2. Hence, no need for a dev build.
The changelog for the RC and for the stable release both show the same single item, namely, this issue fixed.

@ Giorgio: Confirmed: getting the proper ClearClick warning now. Thanks for the very prompt fix.
ETA: Also confirmed success on Fx 8.0

@ Sommerrain: I'm confident enough to mark this as Resolved now, but please post to confirm that it's working for you, too. Thanks.

[Sommerrain]

Hi,

now i think all works correct and fine.
i go to the site and if i want to watch the video, i get first a warning for a embedded object (or so) and the second the warning is about clickjacking.

but one question
i can click the links for the website in the background and i get no warning about this. is this correct?

i use the default preferences of noscript and firefox 8 again.

[Tom T.]

but one question
i can click the links for the website in the background and i get no warning about this. is this correct?

I'm sorry, I don't know which links you are referring to. In the background of the sempervideo site, or the background of the YouTube site that opens if you allow the clickjack?

Could you please name the links, or post a screenshot marking which ones you are asking about?

I may try this in German, in case my question is not understood.

Aufbereitet zu beitrage:

Verzeihung, ich habe nicht recht verstanden, auf welche Verbindungen Sie verweisen. Im Hintergrund von der Sempervideo Netzplatz, oder im Hintergrund des YouTube Netzplatz, der sich öffnet, wenn Sie das clickjack erlauben?

Können Sie die Verbindungen bitte nennen, oder ein Bildschirmfoto aufgeben, markiert mit die Verbindungen gezielt nach Sie fragen?

(I think I did better than Yahoo Babelfish did, with a little help from a dictionary. How bad is it? )

[scott]

:shock: wow i am using this very sharp program to identify what is on the web pages i use- even with a green light from mcafee(means trusted and safe) your script tool has given ne the correct information of what is actualy running and even who is running bad very bad hostile java scripts. thanks you so much for your no script and the off on feature- now i can tell whats going on in web pages i ha no idea about how sneaky them pages are, thanks-scott btw they are getting back at me exposing the truth of these matters. man , you created just what i neded, even if i pay a prive from the very unhappy people i am exposing thier web pages and commenting on then as a warning to all who don't know the truth- very good, thank you sir.

[Sommerrain]

I'm sorry, I don't know which links you are referring to. In the background of the sempervideo site, or the background of the YouTube site that opens if you allow the clickjack?

Could you please name the links, or post a screenshot marking which ones you are asking about?

I may try this in German, in case my question is not understood.

i can better understand english as speak or write

I mean the links in the background of the sempervideo site.
for example behind the pic with the cute chick and hairy pussy (in the right corner) is a title it was called "Letzte Artikel" in english you would say latest news.
and under this title there are some links und this links can you click without any warning or so. and my question is, if this reaction of noscript is correct oder not.

i have also made a screenshot what i mean
http://img27.imageshack.us/img27/457/unbekannter.jpg

[Giorgio Maone]

and under this title there are some links und this links can you click without any warning or so. and my question is, if this reaction of noscript is correct oder not.

It is correct, because both the top and the bottom documents are from the same domain.
The only possible clickjacking there (which NoScript correctly detects, indeed) is having the user click the concealed Youtube movie: of course this is harmless as well, but illustrates the possibility of causing users to interact with UI elements from different domains (youtube.com, in this case) without their consent.