During the past few days I’ve been repeatedly asked the same question:

Is there anything that users of IE, Chrome and other browsers (who cannot use NoScript) can do to protect themselves from clickjacking?

If you read my previous post about it, you already know that currently the only way to protect yourself is disabling JavaScript, plugins/ActiveX and IFRAMEs.
NoScript is the most elegant and usable solution to do it for browsers based on Mozilla technology (like Firefox), because it gives you a quick one-click way to enable the missing technologies on sites you trust and remembers your choices in a whitelist, becoming almost unnoticeable after some “training” about your surfing habits.

Unfortunately, this is not as easy, bearable or even feasible if you use a browser not supported by NoScript (other than Linx or Elinks).
Let’s see what you can do with IE, Safari, Chrome and Opera:

  • Internet Explorer

    IE's security settingsOpen Internet Options|Security, select the “Internet” zone and set the “Security level for this zone” control to “High”.
    Bad news: there’s no apparent way to disable IFRAMEs in IE: you can just disable “Launching programs and files in IFRAME”, which is definitely not enough to prevent clickjacking.
    Furthermore, while Microsoft’s “Internet Zones” can allow individual sites for scripting or active content, their usability is extremely poor if compared to NoScript, requiring several clicks and typing to build a whitelist. So, to recap: MSIE can’t be secured 100% against clickjacking, and the protection you can get comes with a big usability cost.

  • Safari

    Safari's security settingsApple’s browser has a central place to disable active content in its Preferences|Security tab.
    Bad news here are two: there’s no mean to enable features selectively (per site), and IFRAMEs cannot be disabled in any apparent way (Mac users, please let me know if I’m missing something1). Therefore Safari can’t be secured 100% against clickjacking, and the protection you can get comes with an enormous usability cost.

  • Chrome

    If you’re a Chrome user, you’re really out of luck: the only apparent way to disable active content is starting the browser with the following command line:

    chrome.exe -disable-javascript -disable-java -disable-plugins
    

    Of course, you cannot enable back any of these features until you restart your browser with different command line arguments. Even worse, there’s no “-disable-iframe” option. So Chrome can’t be secured 100% against clickjacking, and the protection you can get comes with the worst usability cost.

  • Opera

    Opera has the best built-in security user interface among browsers, very similar to NoScript’s concepts: you can set restrictive defaults if you want, and relax some restrictions on selected sites you trust, using Site Preferences and Quick Preferences. It’s just slightly less usable than NoScript, and it can be configured to prevent clickjacking: you need to disable everything you can see in Preferences|Advanced|Content, then enter opera:config in your address bar, click the “Extensions” handle and uncheck the “IFrames” line.

Final note: current NoScript development versions (1.8.1.7 and above) provide protection against IFRAME-based clickjacking even without disabling IFRAMEs. This is a further usability/security advantage over any other solution, and it’s being tested by Sirdarckcat (a pioneer of malicious CSS overlays) with a final stable released planned for the end of this week. Therefore, if you can choose, your best usability+security choice is still Firefox+NoScript.

19 Responses to “Clickjacking and Other Browsers (IE, Safari, Chrome, Opera)”

  1. #1 Anossov P. says:

    The paranoia police send their regards

  2. #2 john says:

    do you have any idea of telling this to google so they can do something about it??
    also, i thought that chrome will be the most secured browser.. :P
    pls comment on this!!

  3. #3 fukami says:

    BTW: There is a browser using WebKit (on OSX) which allows to disable iframes: OmniWeb (from the good old Omni Group :)

    Most people haven’t ever heart of this one I guess …

  4. #4 Xtra says:

    Pioneer? I dont think you realise how old this attack is.

  5. #5 buzz says:

    hackademix.net » Clickjacking and Other Browsers (IE, Safari, Chrome, Opera)

    Opera has the best built-in security user interface among browsers … and it can be configured to prevent clickjacking

  6. #6 Shaun Inman says:

    To disable iframes in Safari you could just add `iframe { display:none !important; }` to your user style sheet (which can be added via Safari’s Advanced Preferences). `display:none;` prevents any iframe from being interactive and disabling JavaScript (which you’ve already mentioned) will prevent any JavaScript in the iframe from running.

  7. #7 ¿Cómo nos protegemos del Clickjacking? - FayerWayer says:

    […] Clickjacking and Other Browsers (Hackademix) […]

  8. #8 Shadow Security » Protección anti-clickjacking says:

    […] como la madre de todas las vulnerabilidades en navegadores, hoy Giorgio Maone nos explica cómo protegernos frente a la amenaza… si es que […]

  9. #9 Shadow Security - Protección contra ClickJacking en navegadores says:

    […] A continuación dejo una guía para protegerse o disminuir los riesgos de ataques del tipo ClickJacking en cada navegador. Adaptado de Clickjacking and Other Browsers (IE, Safari, Chrome, Opera). […]

  10. #10 Clickjacking - It Can Hit Any Browser | NOT a Guru! says:

    […] vulnerabilities in Microsoft’s Internet Explorer and how to fix them.  Here’s a pretty good article that will tell you what, if anything, you can do to protect yourself from clickjacking if you use […]

  11. #11 Clickjacking: Potentially harmful web browser exploit | Network Administrator | TechRepublic.com says:

    […] for other browsers Giorgio Maone published “Clickjacking and Other Browsers (IE, Safari, Chrome, and Opera)” on his Hackademix.net web site, where he explained what if anything can be done to prevent […]

  12. #12 BitShockingly says:

    Chrome is not the horse to bet on: watch the Iron fork of Chromium or wait for a security minded fork.

  13. #13 hackademix.net » More Clickjacking says:

    […] Regarding protection, if you’re a Firefox/NoScript user you should already know about ClearClick. If you’re not, I feel a bit sorry for you. […]

  14. #14 Tecnologia All-In-One Blogs » Blog Archive » ¿Cómo nos protegemos del Clickjacking? says:

    […] Clickjacking and Other Browsers […]

  15. #15 Clickjacking-¿Que es?-¿Como protegernos? | Hackers Libres says:

    […] Clickjacking y como protegernos - Clickjacking and Other Browsers (IE, Safari, Chrome, Opera) […]

  16. #16 Browser comparisons considered harmful « The Science of Magic says:

    […] possibly the least obtrusive method of protecting yourself from clickjacking, and although you can address that in Opera, it […]

  17. #17 Update Flash Now! says:

    […] If you do not want to use another browser, here are ways to mitigate your Clickjacking risk with other browsers. […]

  18. #18 mirc says:

    Thank you.It’s wonderfull

  19. #19 Clickjacking, el nuevo cuco de la inseguridad en Internet | Geekotic says:

    […] para Firefox, NoScript, podía dar una protección completa, incluso su creador aconseja cómo configurar otros navegadores para lograr el mismo nivel de protección en estos (siendo Opera el único que permite […]

Bad Behavior has blocked 2481 access attempts in the last 7 days.