As I hinted in my original clickjacking article and confirmed in my follow-up about protecting other browsers from clickjacking, specific anti-clickjacking countermeasures are included in latest NoScript development builds, enabled by default, and completely independent from frame blocking.

Specifically, since (released past Friday), embedded objects of any kind are forcibly made opaque if placed on a non-whitelisted page, giving user a clear view on what he's about to click.
A further protection layer, automatically disabling any user interaction with partially obstructed documents (similar in concept to Zalewski's preferred proposal), will go in a stable release by the end of this week, but current development builds are already safe and good enough for general consumption, so I recommend upgrading now (update) is available in NoScript 1.8.2 and above.

Starting this fresh development line, rather than sitting on the serendipity of old NoScript features being able to prevent known forms of clickjacking, proved to be a very wise thing to do.
In facts, both RSnake and Ronald during the last two days found frame blocking work-arounds. RSnake in particular, being a NoScript user himself, has been so kind to do responsible disclosure, giving me also a lot of constructive feedback about the alternate mitigation ideas I was developing.

I must be grateful to Ronald as well, because he -- even if in a less cooperative way -- underlined a conceptual weakness in IFRAME blocking (since OBJECTs can behave just like IFRAMEs, they should be blocked according to the very same criteria), but I have to rectify this statement from his public disclosure post:

The latest version of NoScript allows it's users to block iframes in order to protect themselves from "Clickjacking".

NoScript has been capable of blocking IFRAMEs for a long time: this feature had been introduced mainly to make Gareth Heyes happy, more than one year ago. As often observed with NoScript, an old feature happens to be effective against new threats.
Unfortunately, bugs happen too and IFRAME blocking not being applied to all the frame-like elements is what I do consider a bug. This one will be fixed in the automatic stable update you're going to receive in a few days, but in the meanwhile is already fixed; you can enjoy the new specific clickjacking protection, no matter if you block frames or not, by simply upgrading to NoScript or above.

Update Oct 2nd, afternoon

The frame/object bug has already been fixed in, one more reason to upgrade.

Update Oct 7th

NoScript 1.8.2 is finally out, featuring the brand new exclusive ClearClick technology against Clickjacking. Upgrade now!

17 Responses to “Clickjacking Protection by Default”

  1. #1 » Clickjacking and NoScript says:

    [...] If you did not yet, you should upgrade to NoScript or above, for the reasons explained here. [...]

  2. #2 randy says:

    I usually wait for updates via the stable release updater but in view of your advice, dev build .1.8 is now on my firefox. Thanks Georgio for your continued work on we internet users' behalf.

  3. #3 Gareth Heyes says:

    haha you did indeed make me happy :)
    It's as though I knew about these "new" attacks

  4. #4 Giorgio says:

    you'll be even more happy after upgrading to, then.

  5. #5 Gareth Heyes says:

    ooooo nifty

  6. #6 Peng’s links for Friday, 3 October « I’m Just an Avatar says:

    [...] Maone: Clickjacking Protection by Default. Giorgio posted an article recently about clickjacking that had gotten a littel too old to post [...]

  7. #7 rvdh says:

    Not so fast :)

    You forgot as well :) I know you block it, but the problem with embed is, that it loads before you try to block it. This is because of the plugin it needs to fetch first. So, it doesn't do anything for scripts, but it does help in a CSRF attack c.q. scriptless event hijack

  8. #8 rvdh says:

    I was saying: You forgot EMBED SRC="" as well. it got stripped somehow.

  9. #9 rvdh says:

    Curious, it seems fixed as well in the new build I just tested. Good job Giorgio! I can get some sleep again :)

  10. #10 questioner says:

    Hi - I have a question because I am a little confused:

    As an usual everyday user - is there a special reson (like an accute actual security threat) to make this very big upgrade neccessary? or can I simply wait until the newest versions (my actual here is V. without any harm???

  11. #11 Giorgio says:

    If Ronald did not disclose the OBJECT-based IFRAME blocking work-around, I would have said just wait for 1.8.2 keeping "Forbid IFRAME" on, but now there's a slight chance some bad guy already figured how clickjacking works (easy) and deems valuable the extra effort to bypass IFRAME protection (less likely), therefore my recommendation to get -- thank Ronald for this hassle ;)
    Anyway I'll release 1.8.2 tomorrow at most.

  12. #12 Shadow Security - ¿Clickjacking con Firefox y NoScript instalado? (II) says:

    [...] la información ya que Maone confirma lo preguntado por mí y también menciona que en NoScript se habilita la protección de IFRAMES por defecto en la última versón y en 0×000000 confirman lo dicho por Maone. Además Maone también explica algunas formas de [...]

  13. #13 » Hello ClearClick, Goodbye Clickjacking! says:

    [...] Clickjacking Protection by Default 08 10 2008 [...]

  14. #14 Hello ClearClick, Goodbye Clickjacking! | 洋葱圈 says:

    [...] NoScript is out, featuring the announced new anti-clickjacking countermeasures enabled by default, independent from IFRAME and plugin [...]

  15. #15 Clickjacking - Scary New Cross Brower Exploit says:

    [...] solution at the moment is to use Firefox with Noscript(an extension for Firefox) addons since specific anti-clickjacking countermeasures are included in latest version (1.8.2) of NoScript. Opera users need to disable Java, Javascript [...]

  16. #16 | TechUniverse says:

    [...] ultime versioni dell’italica estensione, oltre a impedire l’esecuzione di elementi Flash o codice JavaScript non gradito, introducono [...]

  17. #17 ross alba says:

    give it atry

Bad Behavior has blocked 729 access attempts in the last 7 days.