Page 1 of 1
How to unhide antiClickjack protected website
Posted: Sat Feb 14, 2015 8:16 pm
by Guest
Is there a way to unhide the contents of helpx.adobe.com without permitting Java-script?
I found the following css in the head of
https://helpx.adobe.com/acrobat.html
<style id="antiClickjack">body{display:none !important;}</style>
How do I disable this line? But I don't want to allow Java-script for that site.
Re: How to unhide antiClickjack protected website
Posted: Sat Feb 14, 2015 10:17 pm
by barbaz
try add these two prefs to about:config
** edited per Thrawn's comment below **
Code: Select all
noscript.surrogate.helpxadobe.replacement : window.addEventListener('load', function(){if (window !== window.top) { return; } document.body.style.setProperty('display', 'block', 'important');}, false);
noscript.surrogate.helpxadobe.sources : !helpx.adobe.com
Re: How to unhide antiClickjack protected website
Posted: Sun Feb 15, 2015 10:34 pm
by Thrawn
That's kind of funny; they're actually using the clickjack protection
suggested by OWASP. Effective, but dependent on JavaScript. I wonder why they aren't also sending X-Frame-Options?
Overriding it with a surrogate defeats the purpose of the protection, of course, but I expect NoScript would handle an actual attack just fine.
Re: How to unhide antiClickjack protected website
Posted: Sun Feb 15, 2015 10:38 pm
by barbaz
Thrawn wrote: That's kind of funny; they're actually using the clickjack protection
suggested by OWASP. Effective, but dependent on JavaScript. I wonder why they aren't also sending X-Frame-Options?
Overriding it with a surrogate defeats the purpose of the protection, of course, but I expect NoScript would handle an actual attack just fine.
Interesting. I'll tweak that surrogate a bit to still honor the intent.
Re: How to unhide antiClickjack protected website
Posted: Wed Feb 18, 2015 3:37 am
by Thrawn
NoScript actually
does that already for your garden-variety framebuster, but I guess not for the full OWASP version.
Re: How to unhide antiClickjack protected website
Posted: Wed Feb 18, 2015 6:31 am
by barbaz
Oh.. didn't realize that "framebuster" doesn't necessarily mean
Code: Select all
window.top.location.href = window.location.href
So then this is a NoScript bug, NS should be detecting the framebuster script and if either the document element or the body are hidden by display:none, unhide them.
Is it worth moving this to Development and re-titling it?
Re: How to unhide antiClickjack protected website
Posted: Wed Feb 18, 2015 11:25 am
by Giorgio Maone
barbaz wrote:Oh.. didn't realize that "framebuster" doesn't necessarily mean
Code: Select all
window.top.location.href = window.location.href
So then this is a NoScript bug, NS should be detecting the framebuster script and if either the document element or the body are hidden by display:none, unhide them.
Not quite.
NoScript actually implements framebusting
emulation, i.e. it makes the (
rather ineffective) JavaScript-based active (i.e. depending on JavaScript to be protective) framebusting techniques work even if JavaScript is disabled.
OWASP version is protective by default (i.e. it still protects with scripts disabled) but if scripts are disabled makes the website unusable.
So this is not a NoScript bug, but from an usability perspective having a surrogate like Thrawn's which makes the site work fine even without allowing JavaScript is really nice to have, especially if this is copy&paste code "standardized" by OWASP.
Putting it in my TODO list for next release, thanks.
Re: How to unhide antiClickjack protected website
Posted: Wed Feb 18, 2015 1:12 pm
by Giorgio Maone
Re: How to unhide antiClickjack protected website
Posted: Wed Feb 18, 2015 7:30 pm
by barbaz
Thanks.
(Actually the surrogate in this thread was by me)
Giorgio Maone wrote:especially if this is copy&paste code "standardized" by OWASP.
Is it worth changing it to not depend on specific copy-and-paste code? Like maybe this:
Code: Select all
if(window.top===window){let c=window.getComputedStyle(document.body).display;if (c == 'none'){document.body.style.setProperty('display', 'inherit', 'important');}let h=window.getComputedStyle(document.documentElement).display;if (h == 'none'){document.documentElement.style.setProperty('display', 'block', 'important');}}
That takes care of the
framekiller on Wikipedia as well.
Re: How to unhide antiClickjack protected website
Posted: Wed Feb 18, 2015 10:19 pm
by Giorgio Maone
barbaz wrote:
(Actually the surrogate in this thread was by me)
Fixed in the credits.
barbaz wrote:
Is it worth changing it to not depend on specific copy-and-paste code? Likely:
probably.
Re: How to unhide antiClickjack protected website
Posted: Wed Apr 08, 2015 4:20 am
by barbaz
Giorgio Maone wrote:barbaz wrote:
Is it worth changing it to not depend on specific copy-and-paste code?
probably.
bump
Re: How to unhide antiClickjack protected website
Posted: Wed Apr 22, 2015 3:40 am
by barbaz
Thanks Giorgio for fixing that in NoScript 2.6.9.22rc1