InformAction Forums

On our website we have embedded an SVG chart using HTML's "object" element (example). The SVG chart is interactive: The user can click on some areas of the SVG chart to change its appearance. However, if a Firefox user has installed NoScript with the "ClearClick"-feature enabled, then these click events seem to be blocked.

Can we somehow work-around this problem or can NoScript be fixed (assuming it may be a bug)?

One possible workaround might be to use "Inline SVG" instead of an "object" element that references an external SVG file. Are there other possibilities?

Before anyone can help with this, please fix your link by wrapping it in url tags; it has been truncated and will be broken if you edit your post.

Most likely your click events are being handled by an invisible object like an IFRAME from another site? That will set ClearClick off, by design, because you're ' tricking' people into thinking that they're clicking on the SVG when they're actually clicking on the iframe. I'm just speculating, though.

Can you post details of the ClearClick warning? Especially screenshots.

I've edited the URL, thanks.

I've created a minimal test-case. There is no "trickery" going on, the page just contains a single <object> element to embed an external SVG file: Test-Case

The test-case works if I load the .svg file from the same domain as the .html file. But if at all possible I'd like to avoid this because it's a good practice to serve static content from a cookie-less domain.

The test-case also works if I disable NoScript's "ClearClick" feature. But I thought "ClearClick" was a bit more clever. The FAQ says:

Whenever you click a plugin object or a framed page, it takes a screenshot of it alone and opaque (i.e. an image of it with no transparencies and no overlaying objects), then compares it with a screenshot of the parent page as you can see it.

In this case there are no "overlaying objects" but the clicks are being blocked nevertheless. That's why I think this is a bug in NoScript.

Ok then. Probably this is one for Giorgio to investigate ; he likes to fix false positives quickly.

Just speculating - maybe your site is hitting a ClearClick feature designed to handle timing-based clickjacking attacks. The svg changes immediately after ppl click on it, right?

Should be fixed in latest development build 2.5.7rc1, thanks.

Confirmed, thanks!