Archive for January 29th, 2009

As I promised in my previous posts about so called IE8's "Clickjacking protection", some hours ago I released the NoScript 1.8.9.9 development build, featuring experimental but complete compatibility with the X-FRAME-OPTIONS header support introduced by IE8 and unveiled yesterday by Eric Lawrence on the IE Blog.

As I said previously,

this is just a cross-browser compatibility effort: neither Firefox nor NoScript really need this feature. Traditional JavaScript-based frame busting works fine in Firefox, giving it the same degree of (modest) "protection" as IE8. NoScript users, on the other hand, are already fully protected, because ClearClick is the one and only countermeasure which works against any type of Clickjacking (frame or embed based), no matter if web sites cooperate or not.

However I also said this is nice to have. I had already imagined a functionally similar declarative solution, the SUB pseudo-method of ABE rules, and HTTP-based restrictions can actually be easier to deploy in some scenarios (e.g. using a Web Application Firewall).

More important, not every IT manager will have a chance of reading the reasons I exposed so far, explaining why IE8 has no more "Clickjacking protection" than its competitors. Our typical decision maker will just read a bullet list including "Clickjacking protection", will find that no other browser dares such a claim and will base his choice (also) on that misleading comparison.

So let's add this bullet, even if it does nothing against Clickjacking that "alternative browsers" couldn't already do with traditional frame busting.

The following screenshot shows the original IE8 implementation as can be tested on my demo page:

X-IFRAME-OPTIONS demo in IE8 screenshot


And this is X-IFRAME-OPTIONS in action on Firefox (kindly provided by NoScript for now, but already in the works as a built-in):

X-IFRAME-OPTIONS demo in Firefox screenshot


But now that we've got "bullet parity", let's put the marketspeak aside and keep enjoying the only Clickjacking protection that really works "out of the box": your friendly neighborhood ClearClick :)

Bad Behavior has blocked 705 access attempts in the last 7 days.