Chrome to block "tab-under" redirects by default
Chrome to block "tab-under" redirects by default
*Always* check the changelogs BEFORE updating that important software!
-
Re: Chrome to block "tab-under" redirects by default
I'd say that standard advice applies. If you've blocked a site, it can't do anything like this. If you've whitelisted it, it can redirect, but whatever site it redirects to will probably be blocked.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Re: Chrome to block "tab-under" redirects by default
Just how does one determine what is a "malicious" tab-under... popup... vs. one that is wanted?
So just like NoScript "blocks", & uBlock "blocks", & ... "blocks", there may be good or not so good consequences in doing so.
Removing the entries from dom.popup_allowed_events may help thwart such stuff.
But by the same token, there may be instances when such blocked actions are needed - on legitimate sites. So...
Typically what you might see is an attempt for something to open, but the action is squashed.
And even with that, there will always be a work-around to a work-around.
So just like NoScript "blocks", & uBlock "blocks", & ... "blocks", there may be good or not so good consequences in doing so.
Removing the entries from dom.popup_allowed_events may help thwart such stuff.
But by the same token, there may be instances when such blocked actions are needed - on legitimate sites. So...
Typically what you might see is an attempt for something to open, but the action is squashed.
And even with that, there will always be a work-around to a work-around.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.1 Lightning/5.4
Re: Chrome to block "tab-under" redirects by default
True that. But the reason I ask is because NoScript has tabnapping protection (noscript.forbidBGRefresh) which can be set to work even on whitelisted sites. Just wondering if that can or should apply here?Thrawn wrote:I'd say that standard advice applies. If you've blocked a site, it can't do anything like this. If you've whitelisted it, it can redirect, but whatever site it redirects to will probably be blocked.
Under what circumstances would you want a tab-under redirect?therube wrote:Just how does one determine what is a "malicious" tab-under... popup... vs. one that is wanted?
*Always* check the changelogs BEFORE updating that important software!
-
Re: Chrome to block "tab-under" redirects by default
It certainly isn't the same case, since tab-unders happen in the foreground. Theoretically it would be possible for NoScript to introduce countermeasures, but it doesn't strike me as a security issue, only an advertising one.barbaz wrote:NoScript has tabnapping protection (noscript.forbidBGRefresh) which can be set to work even on whitelisted sites. Just wondering if that can or should apply here?
The interesting thing about this is that it combines two perfectly normal link behaviors: opening a copy of the site in a new tab, and going to a new site. It's only when the two occur at the same time that it's almost certainly not what the user wanted.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Re: Chrome to block "tab-under" redirects by default
Thanks for the explanation!Thrawn wrote:It certainly isn't the same case, since tab-unders happen in the foreground.
So, for example, a tab-under redirect to a fake Gmail login page wouldn't be a security issue?Thrawn wrote:Theoretically it would be possible for NoScript to introduce countermeasures, but it doesn't strike me as a security issue,
Isn't this just as dangerous as tabnapping, for the same reasons? -
I'm glad Chrome (and hopefully Chromium) will do something about this, and I hope NoScript does too.http://www.azarask.in/blog/post/a-new-type-of-phishing-attack wrote:As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.
Should I start a new thread in the NoScript forums for this? Or re-title and move this one?
*Always* check the changelogs BEFORE updating that important software!
-
Re: Chrome to block "tab-under" redirects by default
I would think NoScript could / should block popunders similar to BGRefresh.
Matter of fact... noscript.surrogate.popunder.*.
Now NoScript might need some tweaking...
See if we can get NoScript to block, https://github.com/sanosay/exads-adblock.
Matter of fact... noscript.surrogate.popunder.*.
Now NoScript might need some tweaking...
See if we can get NoScript to block, https://github.com/sanosay/exads-adblock.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.1 Lightning/5.4
Re: Chrome to block "tab-under" redirects by default
Sorry but I don't see how that's relevant?therube wrote:See if we can get NoScript to block, https://github.com/sanosay/exads-adblock.
*Always* check the changelogs BEFORE updating that important software!
-
Re: Chrome to block "tab-under" redirects by default
Well they've got popunder code there - that is in use by websites, that does cause "popunders" (tab-unders).
We have surrogates.
Maybe we can come up with a surrogate that thwarts those popunders?
NSFW (results returned):
https://www.google.com/search?q=ExoLoader.addZone%28{%22type%22%3A+%22popunder%22%2C+%22idzone%22%3A+%22222%22}%29%3B&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial
We have surrogates.
Maybe we can come up with a surrogate that thwarts those popunders?
NSFW (results returned):
https://www.google.com/search?q=ExoLoader.addZone%28{%22type%22%3A+%22popunder%22%2C+%22idzone%22%3A+%22222%22}%29%3B&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 SeaMonkey/2.49.1
Re: Chrome to block "tab-under" redirects by default
Not sure how a surrogate would reliably thwart a site that does the tab-under redirect immediately before opening the new tab.
*Always* check the changelogs BEFORE updating that important software!
-
Re: Chrome to block "tab-under" redirects by default
Would it be any different to any other link taking you to a phishing site? NoScript doesn't try to be a general anti-phishing defence.barbaz wrote: So, for example, a tab-under redirect to a fake Gmail login page wouldn't be a security issue?
If I'm browsing random.com, I click on a link, and I seem to be at a Gmail login page, then there's no particular reason that that couldn't have been a perfectly ordinary hyperlink. If it's actually a phishing site, then putting it in a pop-under probably makes it less dangerous, since it waves a flag saying "This site is doing user-unfriendly things! Close their tabs!"
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Re: Chrome to block "tab-under" redirects by default
Yep, because "any other link" would have to appear somehow related to Gmail (or whatever they're phishing) to avoid setting off alarm bells. With a tab-under, the link not only can point to something innocuous and totally unrelated to Gmail, you would actually end up with said innocuous page in front of you. So the only visual indicator that anything malicious is happening would be the tab bar...and only if you're lucky enough to spot the redirection as it's happening. Same as with tabnapping.Thrawn wrote:Would it be any different to any other link taking you to a phishing site?
Only if the user is watching their tab bar like a movie.Thrawn wrote:If it's actually a phishing site, then putting it in a pop-under probably makes it less dangerous, since it waves a flag saying "This site is doing user-unfriendly things! Close their tabs!"
*Always* check the changelogs BEFORE updating that important software!
-