During the past few days I’ve been repeatedly asked the same question:
Is there anything that users of IE, Chrome and other browsers (who cannot use NoScript) can do to protect themselves from clickjacking?
NoScript is the most elegant and usable solution to do it for browsers based on Mozilla technology (like Firefox), because it gives you a quick one-click way to enable the missing technologies on sites you trust and remembers your choices in a whitelist, becoming almost unnoticeable after some “training” about your surfing habits.
Open Internet Options|Security, select the “Internet” zone and set the “Security level for this zone” control to “High”.
Bad news: there’s no apparent way to disable IFRAMEs in IE: you can just disable “Launching programs and files in IFRAME”, which is definitely not enough to prevent clickjacking.
Furthermore, while Microsoft’s “Internet Zones” can allow individual sites for scripting or active content, their usability is extremely poor if compared to NoScript, requiring several clicks and typing to build a whitelist. So, to recap: MSIE can’t be secured 100% against clickjacking, and the protection you can get comes with a big usability cost.
Apple’s browser has a central place to disable active content in its Preferences|Security tab.
Bad news here are two: there’s no mean to enable features selectively (per site), and IFRAMEs cannot be disabled in any apparent way (Mac users, please let me know if I’m missing something1). Therefore Safari can’t be secured 100% against clickjacking, and the protection you can get comes with an enormous usability cost.
If you’re a Chrome user, you’re really out of luck: the only apparent way to disable active content is starting the browser with the following command line:
Of course, you cannot enable back any of these features until you restart your browser with different command line arguments. Even worse, there’s no “-disable-iframe” option. So Chrome can’t be secured 100% against clickjacking, and the protection you can get comes with the worst usability cost.
Opera has the best built-in security user interface among browsers, very similar to NoScript’s concepts: you can set restrictive defaults if you want, and relax some restrictions on selected sites you trust, using Site Preferences and Quick Preferences. It’s just slightly less usable than NoScript, and it can be configured to prevent clickjacking: you need to disable everything you can see in Preferences|Advanced|Content, then enter opera:config in your address bar, click the “Extensions” handle and uncheck the “IFrames” line.
Final note: current NoScript development versions (18.104.22.168 and above) provide protection against IFRAME-based clickjacking even without disabling IFRAMEs. This is a further usability/security advantage over any other solution, and it’s being tested by Sirdarckcat (a pioneer of malicious CSS overlays) with a final stable released planned for the end of this week. Therefore, if you can choose, your best usability+security choice is still Firefox+NoScript.