Re: [webappsec] straw man anti-clickjacking proposal from David Lin-Shung Huang on 2012-03-06 (public-webappsec@w3.org from March 2012)

From: David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
Date: Mon, 5 Mar 2012 17:16:24 -0800
To: Giorgio Maone <g.maone@informaction.com>
Cc: Michal Zalewski <lcamtuf@coredump.cx>, "Hill, Brad" <bhill@paypal-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAGiwpwjs_X4T3X_Jm5wLTDk=4xdveaZkYf8KE_e2g=cUxi-H7A@mail.gmail.com>

On Mon, Mar 5, 2012 at 3:50 PM, Giorgio Maone <g.maone@informaction.com>wrote:

> On 28/02/2012 11:30, David Lin-Shung Huang wrote:
>
> > I assumed that ClearClick intends to detect any visible obstruction on
> > the clicked frame (a Twitter button in the test page), but saw that it
> > didn't detect the Flash movie on Windows.
>
> The promised work-around is included in latest development build,
> 2.3.3rc3 from http://noscript.net/getit#devel -- thank you, David.
>

Nice patch :)


> On a side note, I noticed http://webperflab.com/david/test/obscure.html
> suggests the bypass was due to 'wmode="direct" overriding z-index', but
> as I said in my previous message the cause was Gecko's
> canvas.context2.drawWindow() implementation failing to render windowed
> Flash applets. As far as I can see, in facts, the z-index is honored
> anyway: the demo page just forgot to set absolute or relative
> positioning on the "victim" frame, which otherwise would have been on top.
>

Good catch. I think my point is still valid though, I see that wmode=direct
does bypass z-index on my IE9 & Safari (Win7). (It might also bypass
z-index on older versions of Firefox.. if I remember correctly.)

Thanks,
David


> -- G
>

Received on Tuesday, 6 March 2012 01:16:53 UTC