InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

[RESOLVED] SelfClickJacking???

https://forums.informaction.com/viewtopic.php?t=5501

Page 1 of 1

[RESOLVED] SelfClickJacking???

Posted: Fri Dec 10, 2010 11:01 pm
by MadameIlsa
Hi there,

I want to view a site at say --- http://www.toplevel.com

This site has some scripts on it I think are ok to run, and others that are not. If I enable a script to run on this page, then toplevel.com is added to the whitelist

Now, I want to click on a link on this page. The link will redirect me to --- http://www.toplevel.com/subdirectory --- which is wonderful and where I want to be.

However, not only am I redirected to where I want to be, the click also opens a new window. The URL at the top of the page goes something like: -- http://www.toplevel.com/ads/adserver.js ... &isPopup=1

is there a way to configure Noscript to allow the redirect and not allow the new window to open??

Thank you!

Re: SelfClickJacking???

Posted: Fri Dec 10, 2010 11:16 pm
by Giorgio Maone
Could you please PM me the real page where this happens?

Re: SelfClickJacking???

Posted: Sat Dec 11, 2010 12:15 am
by Giorgio Maone
OK, please open about:config and replace the value of the noscript.surrogate.popunder.replacement preference with

Code: Select all

(function(){var cookie=document.__proto__.__lookupGetter__('cookie');document.__proto__.__defineGetter__('cookie',function() {var c='; popunder=yes; popundr=yes; setover18=1';return (cookie.apply(this).replace(c,'')+c).replace(/^; /, '')});var fid='_FID_'+(Date.now().toString(16));var open=window.__proto__.open;window.__proto__.open=function(url,target,features){try{if(!(/^_(?:top|parent|self)$/i.test(target)||target in frames)){var suspSrc,suspCall,fr,ff=[];for(var f,ev,aa=arguments;aa.callee&&(f=aa.callee.caller)&&ff.indexOf(f)<0;ff.push(f)){aa=f.arguments;if(!aa)break;ev=aa[0];suspCall=f.name=="doPopUnder";if(!suspSrc)suspSrc=suspCall||/(?:\bpopunde?r|\bfocus\b.*\bblur|\bblur\b.*\bfocus|[pP]uShown)\b/.test(f.toSource());if(suspCall||ev&&typeof ev=='object'&&('type' in ev)&&ev.type=='click'&&ev.button===0&&(ev.currentTarget===document||('tagName' in ev.currentTarget)&&'body'==ev.currentTarget.tagName.toLowerCase())&&!(('href' in ev.target)&&ev.target.href&&(ev.target.href.indexOf(url)===0||url.indexOf(ev.target.href)===0))){if(suspSrc){fr=document.getElementById(fid)||document.body.appendChild(document.createElement('iframe'));fr.id=fid;fr.src='data:text/html,';fr.style.display='none';var w=fr.contentWindow;w.blur=function(){};return w;}}}}}catch(e){}return open.apply(null, arguments)}})()
If it works, this will be made the default in next NoScript version.

Re: SelfClickJacking???

Posted: Sat Dec 11, 2010 12:21 am
by MadameIlsa
that does seem to do the trick --nice to have a response so quick!
that is cool that it is a generic situation and users will not have to set this (even thru GUI) for each site.
Cheers!

Re: SelfClickJacking???

Posted: Sat Dec 11, 2010 12:31 am
by Giorgio Maone
Just, please change it again to

Code: Select all

(function(){var cookie=document.__proto__.__lookupGetter__('cookie');document.__proto__.__defineGetter__('cookie',function() {var c='; popunder=yes; popundr=yes; setover18=1';return (cookie.apply(this).replace(c,'')+c).replace(/^; /, '')});var fid='_FID_'+(Date.now().toString(16));var open=window.__proto__.open;window.__proto__.open=function(url,target,features){try{if(!(/^_(?:top|parent|self)$/i.test(target)||target in frames)){var suspSrc,suspCall,fr,ff=[];for(var f,ev,aa=arguments;aa.callee&&(f=aa.callee.caller)&&ff.indexOf(f)<0;ff.push(f)){aa=f.arguments;if(!aa)break;ev=aa[0];suspCall=f.name=='doPopUnder';if(!suspSrc)suspSrc=suspCall||/(?:\bpopunde?r|\bfocus\b.*\bblur|\bblur\b.*\bfocus|[pP]uShown)\b/.test(f.toSource());if(suspCall||ev&&typeof ev=='object'&&('type' in ev)&&ev.type=='click'&&ev.button===0&&(ev.currentTarget===document||('tagName' in ev.currentTarget)&&'body'==ev.currentTarget.tagName.toLowerCase())&&!(('href' in ev.target)&&ev.target.href&&(ev.target.href.indexOf(url)===0||url.indexOf(ev.target.href)===0))){if(suspSrc){fr=document.getElementById(fid)||document.body.appendChild(document.createElement('iframe'));fr.id=fid;fr.src='data:text/html,';fr.style.display='none';var w=fr.contentWindow;w.blur=function(){};return w;}}}}}catch(e){}return open.apply(null, arguments)}})()
No semantic difference, but it won't prevent future updates to this script, because it's the new default verbatim as I'm putting it in NoScript.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited