Page 1 of 1
Tabnagging fail?
Posted: Tue Jul 06, 2010 10:52 pm
by mrmeval
I went looking for information about tabnabbing and found a site that implements the attack.. It's an example site not a malware site.
I personally would like to see it disabled by default but you've done well in delaying it till the tab is clicked. Is it possible to maybe shade the tab red when they pull that crap?
I've set it to 3 to disable it. OK, this failed to work in that it flips trusted or untrusted when unfocused.
Thanks
Re: Tabnagging fail?
Posted: Tue Jul 06, 2010 11:08 pm
by Giorgio Maone
mrmeval wrote:I've set it to 3 to disable it. OK, this failed to work in that it flips trusted or untrusted when unfocused.
If the site uses JavaScript to morph itself when unfocused, the only defense you've got is keeping JavaScript disabled on it.
The "forbidBGRefresh" feature is meant to block the
scriptless attack: that's why its default is "1" rather than "3", because blocking background refreshes on trusted sites is pointless since JavaScript has almost infinite ways to pull this attack without refreshing.
Re: Tabnagging fail?
Posted: Tue Jul 06, 2010 11:23 pm
by mrmeval
Drat! Thanks.
Giorgio Maone wrote:mrmeval wrote:I've set it to 3 to disable it. OK, this failed to work in that it flips trusted or untrusted when unfocused.
If the site uses JavaScript to morph itself when unfocused, the only defense you've got is keeping JavaScript disabled on it.
The "forbidBGRefresh" feature is meant to block the
scriptless attack: that's why its default is "1" rather than "3", because blocking background refreshes on trusted sites is pointless since JavaScript has almost infinite ways to pull this attack without refreshing.