Archive for October 8th, 2008

Finally NoScript is out, featuring the announced new anti-clickjacking countermeasures enabled by default, independent from IFRAME and plugin content blocking settings.

The most specific and ambitious is called ClearClick: whenever you click or otherwise interact, through your mouse or your keyboard, with an embedded element which is partially obstructed, transparent or otherwise disguised, NoScript prevents the interaction from completing and reveals you the real thing in "clear". At that point you can evaluate if the click target was actually the intended one, and decide if keeping it locked or unlock it for free interaction. This comes quite handy now that more dangerous usages of clickjacking are being disclosed, such as enabling your microphone or your webcam behind your back to spy you through the interwebs.

As you already know if you read my first clickjacking article, an old and benign clickjacking example is NoScript's "Install Now" orange button, which overlays the green one on to work-around the installation security warning. If you click it with ClearClick enabled, now you get warned about something sneaky going on.

ClearClick Warning on NoScript's install button

I do not need to change my button yet, because NoScript ships with ClearClick enabled on untrusted (non whitelisted) parent pages only, while the whitelist status of the embedding is irrelevant. This gives a good balance between effectiveness and usability, since the attacker in a clickjacking attack is always the parent. If you want to get the warning on and on the other sites you trust, you need to flag the second checkbox on NoScript Options|Plugins|ClearClick protection on pages... [x] untrusted [x] trusted. I recommend to flag it anyway and report any usability issue, because this feature so far seems quiet and unobtrusive enough to justify my temptation of enabling everywhere (trusted + untrusted) by default on next stable release, but it must get a lot of testing from you first.


NoScript 1.8.4 and above ship with ClearClick enabled on both untrusted and trusted sites. It works everywhere, even if you've got scripts globally allowed. And yes, at that point I had to change install button, therefore if you want a PoC you need to look elsewhere.

Other clickjacking-related features included in this release are:

  1. Opaque embedded objects: plugin content and frames are forcibly made opaque and get styled with "overflow: auto" (i.e. get scrollbars if their inner size exceed their viewport) on untrusted pages.
  2. Frame Break Emulation: if a framed page which is not allowed to run JavaScript contains a "frame busting" script similar to
    <script>if (top != self) top.location = location</script>

    , the intention of the page author is honored by NoScript, i.e. the page replaces the topmost document. You can control this feature toggling the noscript.emulateFrameBreak about:config preference.

  3. Some usability and effectiveness improvements in frame management, making the Forbid IFRAMEs option more suitable for general usage.

I hope to find some time during this week to write another post, diving through the technical details behind my ClearClick implementation: a fairy tale about a very simple and hopeful idea (unconventional <canvas> usage) fighting against an army of quirks and mundane details. In the meanwhile, many thanks to Sirdarckcat, RSnake, Michal Zalewski and Matt Mastracci for discussion, testing and inspiration.

Bad Behavior has blocked 588 access attempts in the last 7 days.