W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2012

Re: [webappsec] straw man anti-clickjacking proposal

From: Giorgio Maone <g.maone@informaction.com>
Date: Tue, 06 Mar 2012 00:50:48 +0100
Message-ID: <4F555158.9090100@informaction.com>
To: David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
CC: Michal Zalewski <lcamtuf@coredump.cx>, "Hill, Brad" <bhill@paypal-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 28/02/2012 11:30, David Lin-Shung Huang wrote:

> I assumed that ClearClick intends to detect any visible obstruction on
> the clicked frame (a Twitter button in the test page), but saw that it
> didn't detect the Flash movie on Windows.

The promised work-around is included in latest development build,
2.3.3rc3 from http://noscript.net/getit#devel -- thank you, David.

On a side note, I noticed http://webperflab.com/david/test/obscure.html
suggests the bypass was due to 'wmode="direct" overriding z-index', but
as I said in my previous message the cause was Gecko's
canvas.context2.drawWindow() implementation failing to render windowed
Flash applets. As far as I can see, in facts, the z-index is honored
anyway: the demo page just forgot to set absolute or relative
positioning on the "victim" frame, which otherwise would have been on top.

-- G
Received on Monday, 5 March 2012 23:51:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 5 March 2012 23:51:32 GMT