- From: Giorgio Maone <g.maone@informaction.com>
- Date: Tue, 28 Feb 2012 11:49:12 +0100
- To: David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
- CC: Michal Zalewski <lcamtuf@coredump.cx>, "Hill, Brad" <bhill@paypal-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 28/02/2012 11:30, David Lin-Shung Huang wrote: > I assumed that ClearClick intends to detect any visible obstruction on > the clicked frame It does, indeed. My fault, I misinterpreted the aim of the "attack" as a clickthrough one, rather than a clipping-around one (like the div-based PoC just above). > That said, it should be possible to detect or avoid this from the > browser (e.g. taking OS screenshots for comparison). Yes, it is possible. In fact, I'm probably gonna file a bug report on the CanvasContext2d.drawWindow() Gecko API to see if it's possible to take in account this case, and anyway introduce a work-around in next ClearClick version. Thanks -- G
Received on Tuesday, 28 February 2012 10:49:45 UTC