InformAction Forums

Double-Clickjacking

Could you explain what 2.1.2rc5 does differently compared to earlier versions in relation to, OAuth User Data Theft via Double-clickjacking?

For me, the google window comes up in front, not behind.

That aside, once I move it out of the way, & double-click the button, I don't know that I'm seeing anything different from what happened with 2.1.2rc4? As in, I may or may not have inadvertently clicked the 'Allow Access' button in the Google window?

(Actually I may have, but if I did, I'm seeing no action from the window?)

therube wrote:(Actually I may have, but if I did, I'm seeing no action from the window?)

That's the point of the new feature: each window is "quarantined" WRT mouse and keyboard interaction for one second since last interaction with a window from a different address (actually, in next build, this will be relaxed to "a window from a different host", so that quick navigation via back & forward links on cached pages, e.g. multi-page search results, doesn't get impaired).
This way, double clicking on a page can never result in actually clicking once on that page and next on different one.

For me, the google window comes up in front, not behind.

Any particular reason for that?

The PoC does not seem to work in SeaMonkey regardless of NoScript?
(It certainly does in FF5.)

Perhaps there is an offset change needed?