[RESOLVED] NoScript blocking social buttons

[Piotr]

Hello,

I have a problem with social buttons. I added Facebook, G+ and Twitter buttons to let my visitors like/share the content. But when I click them, a NoScript window pops up saying about a possible threat of clickjaking and partially hidden element. When I uncheck the blocking option it will work the next time I click the button, but it's happening with every social button - twitter, facebook, and g+ - on every page on my site.

I checked other websites - no problems there, so theres something wrong on my site, but I added those buttons 'by the book'. Where should I look for the problem?

[barbaz]

We can't help you there without having a link to the site...

[Piotr]

Oh my, I'm sorry, I forgot. Here it is:
http://trek.pl/news/simon-pegg-scenarzysta-star-trek-3

[barbaz]

Cannot reproduce in a clean profile in Fx 35.0.1 (PCLinuxOS build) with only NoScript latest development build installed. Clicking on your Twitter button didn't produce any Clickjacking warning even in the Browser Console...
(unable to test in my regular profile because the social media buttons would be just too hard to get to load, as I've REALLY blocked social network several times over...)

Maybe I should have asked, what sites are (Temp-)Allowed when you see the clickjacking warning? Does Forbidding any of them stop it?
If that gets it, then you can isolate the culprit and thus you know what you need to change/remove on your site. If not...

Can you reproduce on that page in a clean profile with only NoScript latest development build installed, leaving all defaults, and Temp-Allowing *only* trek.pl and twitter.com (leaving all other domains in the list alone)?
What if you set all the same permissions as in your normal profile (if it's different from that)?
If that still isn't enough, does importing your entire NS configuration into the clean profile make it reproducible? (in your main profile, NoScript Options > Export [*on the very bottom*], then in the clean profile, NoScript Options > Import [again, on the very bottom of the window])

[Piotr]

Thanks for all the advise. It appears there something wrong with my profile, not the website.

I created a new profile and after allowing required scripts the buttons work as they should. Importing my old NS settings also causes no problems. So I tried going back to the old profile and resetting NS settings - it didn't help. To be sure I disabled every add-on except NS and I'm still getting the popup.

What can be wrong?

[barbaz]

OK, the following procedure is somewhat dangerous but in my experience it should isolate the issue fairly quickly. You may prefer to try Standard Diagnostic keeping NoScript enabled.

Completely shut down Fx, then copy your entire prefs.js and (if it exists) user.js to the clean profile with only NoScript installed. Do you get clickjacking warning then?

If that didn't get it, let's bisect your profile in the hopes that only one file or folder is responsible for causing this. ** Do NOT manually change the contents of a profile folder like this when Fx is running! ** If you have ANY hesitation at all about this procedure, I strongly recommend you completely shut down Fx and back up your entire normal profile folder to an external disk, then remove that disk from the system, before proceeding.

Does copying the entire contents of your profile folder into an empty profile folder (create a new profile, then delete any contents of that profile folder before copying) make it reproducible? Assuming so...
Copy the first half of files and folders over to the new profile and restart Fx. Install any extensions you have enabled on your main profile, if prompted to do so. Make sure to install NoScript if NS and its "installed" state weren't copied over.
If you can't reproduce the issue, try the second half of files. Recurse into the halves where you get the clickjacking warning until you isolate the file(s) responsible.
(Note: If you have .sqlite-* files those need to be copied along with the .sqlite file of the same name, otherwise you should be able to just recklessly do this.)
Once you found the culprit file(s), please let us know what they were (do *not* just delete them and start Fx again unless you are absolutely sure you don't need the data they had).

If you can't reproduce in a clean profile even copying everything from your normal profile folder, and if everything works for you in the copied profile, I'd suggest you just go with that and declare this resolved, because I don't know how to track down cyber-ghosts

[Piotr]

This is going to be a surprise... or not, actually. I's a cookie! And of course it's a cookie, it's only on my site. Well, not exactly a cookie - the popup is triggered only when I'm logged in. When I log out, the buttons are clickable again. So NoScript is detecting something different on my site, when I'm logged in.

Here's my theory, tell me if I'm wrong. I'm using Wordpress and it's adding admin bar to the top of my page when I'm logged in. It's using some javascript(s) and they may be causing something that NS is recognizing as a threat. If that's the case it may be a part of a bigger problem for Wordpress users.

One more thing, still on topic. The first time I got the popup i missclicked and hit the 'Report'. I wouldn't want my site to be blocked in NS by default or something like that, so... what should I do? I have the report Id.

[barbaz]

This is going to be a surprise... or not, actually. I's a cookie! And of course it's a cookie, it's only on my site. Well, not exactly a cookie - the popup is triggered only when I'm logged in. When I log out, the buttons are clickable again. So NoScript is detecting something different on my site, when I'm logged in.

Here's my theory, tell me if I'm wrong. I'm using Wordpress and it's adding admin bar to the top of my page when I'm logged in. It's using some javascript(s) and they may be causing something that NS is recognizing as a threat. If that's the case it may be a part of a bigger problem for Wordpress users.

Glad you figured it out. Unfortunately I can't investigate further myself since I don't have an admin account on your site.
What I would do in your place is use Firefox's Inspector (Tools > Web Developer > Inspect) to compare the DOM you see when mousing over the social media buttons logged in vs not. ClearClick is firing because there's something transparent overlaying the social media buttons, this will tell you what.

One more thing, still on topic. The first time I got the popup i missclicked and hit the 'Report'. I wouldn't want my site to be blocked in NS by default or something like that, so... what should I do? I have the report Id.

Please post the report ID here so Giorgio can take a look at it and has the full context for it. (He's the only one with access to those reports AFAIK.)

[Thrawn]

I wouldn't want my site to be blocked in NS by default or something like that, so... what should I do? I have the report Id.

I'm pretty sure that that's not what the reports are for. They're for helping Giorgio to debug and improve the filter.

[Piotr]

Well, in any case the report ID is 49872.

And about my problem - still no idea. Can't find the difference in DOM when I'm logged in. But that's OK, I know what to look for, so one way or another I'll find it. Thanks for the help, I consider it solved.