- From: Giorgio Maone <g.maone@informaction.com>
- Date: Tue, 06 Mar 2012 00:50:48 +0100
- To: David Lin-Shung Huang <linshung.huang@sv.cmu.edu>
- CC: Michal Zalewski <lcamtuf@coredump.cx>, "Hill, Brad" <bhill@paypal-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 28/02/2012 11:30, David Lin-Shung Huang wrote: > I assumed that ClearClick intends to detect any visible obstruction on > the clicked frame (a Twitter button in the test page), but saw that it > didn't detect the Flash movie on Windows. The promised work-around is included in latest development build, 2.3.3rc3 from http://noscript.net/getit#devel -- thank you, David. On a side note, I noticed http://webperflab.com/david/test/obscure.html suggests the bypass was due to 'wmode="direct" overriding z-index', but as I said in my previous message the cause was Gecko's canvas.context2.drawWindow() implementation failing to render windowed Flash applets. As far as I can see, in facts, the z-index is honored anyway: the demo page just forgot to set absolute or relative positioning on the "victim" frame, which otherwise would have been on top. -- G
Received on Monday, 5 March 2012 23:51:31 UTC