How to unhide antiClickjack protected website

[Guest]

Is there a way to unhide the contents of helpx.adobe.com without permitting Java-script?

I found the following css in the head of https://helpx.adobe.com/acrobat.html
<style id="antiClickjack">body{display:none !important;}</style>

How do I disable this line? But I don't want to allow Java-script for that site.

[barbaz]

try add these two prefs to about:config ** edited per Thrawn's comment below **

Code: Select all

noscript.surrogate.helpxadobe.replacement : window.addEventListener('load', function(){if (window !== window.top) { return; } document.body.style.setProperty('display', 'block', 'important');}, false);
noscript.surrogate.helpxadobe.sources : !helpx.adobe.com

[Thrawn]

That's kind of funny; they're actually using the clickjack protection suggested by OWASP. Effective, but dependent on JavaScript. I wonder why they aren't also sending X-Frame-Options?

Overriding it with a surrogate defeats the purpose of the protection, of course, but I expect NoScript would handle an actual attack just fine.

[barbaz]

That's kind of funny; they're actually using the clickjack protection suggested by OWASP. Effective, but dependent on JavaScript. I wonder why they aren't also sending X-Frame-Options?

Overriding it with a surrogate defeats the purpose of the protection, of course, but I expect NoScript would handle an actual attack just fine.

Interesting. I'll tweak that surrogate a bit to still honor the intent.

[Thrawn]

NoScript actually does that already for your garden-variety framebuster, but I guess not for the full OWASP version.

[barbaz]

Oh.. didn't realize that "framebuster" doesn't necessarily mean

Code: Select all

window.top.location.href = window.location.href

So then this is a NoScript bug, NS should be detecting the framebuster script and if either the document element or the body are hidden by display:none, unhide them.

Is it worth moving this to Development and re-titling it?

[Giorgio Maone]

Oh.. didn't realize that "framebuster" doesn't necessarily mean

Code: Select all

window.top.location.href = window.location.href

So then this is a NoScript bug, NS should be detecting the framebuster script and if either the document element or the body are hidden by display:none, unhide them.

Not quite.
NoScript actually implements framebusting emulation, i.e. it makes the (rather ineffective) JavaScript-based active (i.e. depending on JavaScript to be protective) framebusting techniques work even if JavaScript is disabled.
OWASP version is protective by default (i.e. it still protects with scripts disabled) but if scripts are disabled makes the website unusable.
So this is not a NoScript bug, but from an usability perspective having a surrogate like Thrawn's which makes the site work fine even without allowing JavaScript is really nice to have, especially if this is copy&paste code "standardized" by OWASP.
Putting it in my TODO list for next release, thanks.

[Giorgio Maone]

Please check latest development build, thanks.

[barbaz]

Please check latest development build, thanks.

Thanks.
(Actually the surrogate in this thread was by me)

especially if this is copy&paste code "standardized" by OWASP.

Is it worth changing it to not depend on specific copy-and-paste code? Like maybe this:

Code: Select all

if(window.top===window){let c=window.getComputedStyle(document.body).display;if (c == 'none'){document.body.style.setProperty('display', 'inherit', 'important');}let h=window.getComputedStyle(document.documentElement).display;if (h == 'none'){document.documentElement.style.setProperty('display', 'block', 'important');}}

That takes care of the framekiller on Wikipedia as well.

[Giorgio Maone]

(Actually the surrogate in this thread was by me)

Fixed in the credits.

Is it worth changing it to not depend on specific copy-and-paste code? Likely:

probably.

[barbaz]

Is it worth changing it to not depend on specific copy-and-paste code?

probably.

bump

[barbaz]

Thanks Giorgio for fixing that in NoScript 2.6.9.22rc1