Archive for December, 2009

On April the 1st (!) 2009 I had a phone call with Mickey Kim of Google. The Chromium development team was starting to design a browser extension API, and they wanted to know what kind of hooks were needed for FlashGot and NoScript to be ported on Chrome. I gave them detailed answers with references to related Mozilla technologies, and they promised to keep me updated with progresses.

Eight months later, Chrome extensions are here but NoScript is not among them yet, and people are asking why. The reason is very simple: Chrome is still lacking the required infrastructure for selective script disablement and object blocking.

Maybe Google plans to implement the missing stuff later, maybe they're still trying to figure out whether it can be done without enabling effective ad blocking, but in the meanwhile the pale AdBlock and FlashBlock imitations which have been hacked together by overwhelming popular demand, are forced to use a very fragile CSS-based hiding approach, ridiculously easy to circumvent.

Just install the most popular FlashBlock clone for Chrome and visit this page I put together in 3 minutes to see what I mean...

Update

Sam Hasler came to the rescue:

The top rated FlashBlock clone for Chrome does block your example page.

Of course, it took another 3 minutes to fix "the top rated" as well ;-)

If you can see my Google Talk Badge on the right, either you're browsing with anything else than IE8/Chrome/Safari/Firefox+NoScript, or the issue we're talking about has already been fixed by Google. Edit 7 Dec 2009: the issue has been fixed, so I've removed my badge to prevent a spam flood.

Otherwise, you're getting an error page (hard to read, since it's embedded in a tiny frame) -- or a blank one if you're on Chrome -- because Google is sending down a X-Frame-Options HTTP header with value

SAMEORIGIN

, allowing only pages served from www.google.com to embed this badge.

Now, Google playing the early adopter of bleeding edge security technologies like

X-Frame-Options

or STS, both in its browser and in its web properties, is really great because it speeds up their acceptance hugely, making the whole web safer. But if the service you're offering is based on cross-site frames, you'd better keep them enabled ;-)

On a side note, users can easily disable NoScript's implementation of

X-Frame-Options

, if needed, via about:config preferences: either globally (noscript.frameOptions.enabled) or per-embedding-site (noscript.frameOptions.parentWhitelist). Don't worry, ClearClick will still be watching your back...

Bad Behavior has blocked 2160 access attempts in the last 7 days.