On our website we have embedded an SVG chart using HTML's "object" element (example). The SVG chart is interactive: The user can click on some areas of the SVG chart to change its appearance. However, if a Firefox user has installed NoScript with the "ClearClick"-feature enabled, then these click events seem to be blocked.
Can we somehow work-around this problem or can NoScript be fixed (assuming it may be a bug)?
One possible workaround might be to use "Inline SVG" instead of an "object" element that references an external SVG file. Are there other possibilities?
[Resolved] ClearClick vs. SVG with embedded JavaScript
[Resolved] ClearClick vs. SVG with embedded JavaScript
Last edited by Steffen on Mon Sep 24, 2012 10:58 am, edited 1 time in total.
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
Re: ClearClick vs. SVG with embedded JavaScript
Before anyone can help with this, please fix your link by wrapping it in url tags; it has been truncated and will be broken if you edit your post.
Most likely your click events are being handled by an invisible object like an IFRAME from another site? That will set ClearClick off, by design, because you're ' tricking' people into thinking that they're clicking on the SVG when they're actually clicking on the iframe. I'm just speculating, though.
Can you post details of the ClearClick warning? Especially screenshots.
Most likely your click events are being handled by an invisible object like an IFRAME from another site? That will set ClearClick off, by design, because you're ' tricking' people into thinking that they're clicking on the SVG when they're actually clicking on the iframe. I'm just speculating, though.
Can you post details of the ClearClick warning? Especially screenshots.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (Linux; U; Android 2.2.1; en-gb; GT-S5570 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Re: ClearClick vs. SVG with embedded JavaScript
I've edited the URL, thanks.
I've created a minimal test-case. There is no "trickery" going on, the page just contains a single <object> element to embed an external SVG file: Test-Case
The test-case works if I load the .svg file from the same domain as the .html file. But if at all possible I'd like to avoid this because it's a good practice to serve static content from a cookie-less domain.
The test-case also works if I disable NoScript's "ClearClick" feature. But I thought "ClearClick" was a bit more clever. The FAQ says:
I've created a minimal test-case. There is no "trickery" going on, the page just contains a single <object> element to embed an external SVG file: Test-Case
The test-case works if I load the .svg file from the same domain as the .html file. But if at all possible I'd like to avoid this because it's a good practice to serve static content from a cookie-less domain.
The test-case also works if I disable NoScript's "ClearClick" feature. But I thought "ClearClick" was a bit more clever. The FAQ says:
In this case there are no "overlaying objects" but the clicks are being blocked nevertheless. That's why I think this is a bug in NoScript.Whenever you click a plugin object or a framed page, it takes a screenshot of it alone and opaque (i.e. an image of it with no transparencies and no overlaying objects), then compares it with a screenshot of the parent page as you can see it.
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1
Re: ClearClick vs. SVG with embedded JavaScript
Ok then. Probably this is one for Giorgio to investigate ; he likes to fix false positives quickly.
Just speculating - maybe your site is hitting a ClearClick feature designed to handle timing-based clickjacking attacks. The svg changes immediately after ppl click on it, right?
Just speculating - maybe your site is hitting a ClearClick feature designed to handle timing-based clickjacking attacks. The svg changes immediately after ppl click on it, right?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (Linux; U; Android 2.2.1; en-gb; GT-S5570 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
-
Giorgio Maone
- Site Admin
- Posts: 9527
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: ClearClick vs. SVG with embedded JavaScript
Should be fixed in latest development build 2.5.7rc1, thanks.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1
Re: ClearClick vs. SVG with embedded JavaScript
Confirmed, thanks!
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1