Closed
Bug 1343099
Opened 8 years ago
Closed 7 years ago
NoScript reports a ClickJacking warning, for clicks through Modal Find-In-Page's dark overlay
Categories
(WebExtensions :: General, defect)
WebExtensions
General
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: dholbert, Unassigned)
References
()
Details
Attachments
(1 file)
|
960.98 KB,
video/ogg
|
Details |
STR:
1. Starting with a fresh profile (optional) in Firefox Nightly, install latest version of NoScript development build from http://noscript.net/getit
2. Restart Firefox to complete installation.
3. Visit https://treeherder.mozilla.org/logviewer.html#?repo=mozilla-central&job_id=80272385&lineNumber=9341
4. Use NoScript UI to allow scripts from mozilla.org and then from taskcluster.github.io, so that the page actually loads.
5. Click any instance of the word "REFTEST" in the log text (just an example).
--> Note that nothing bad happens.
6. Ctrl+F to open Find-in-Page, and type "a".
--> The page darkens.
7. Click the same "REFTEST" text that you clicked before.
ACTUAL RESULTS:
Scary NoScript popup about ClickJacking.
EXPECTED RESULTS:
No such scary popup.
|
Reporter | |
Comment 1•8 years ago
|
||
Giorgio, is there a way to make NoScript & the modal find-in-page overlay play nicely together so that this ClickJacking dialog doesn't appear? (via changes on one end or the other)
I don't actually know how the overlay works, but I think mikedeboer (CC'd) does.
Flags: needinfo?(g.maone)
|
||
Comment 2•8 years ago
|
||
Thanks for the report, Daniel. I could reproduce it, but I could not figure out how this overlay is implemented (I couldn't find any trace of it in the top frame's DOM) and, most importantly, since it's not in the content DOM (or at least accessible from there) why it gets captured by canvas.context2d.drawWindow(), causing a difference between how the embedded frame would be displayed if it was on top (white, with no overlay) and how the same region is actually rendered by drawWindow() called on the top frame.
I think help from mikedeboer or whoever implemented this modal thing is actually required, thank you.
Flags: needinfo?(g.maone) → needinfo?(mdeboer)
|
||
Comment 3•8 years ago
|
||
The overlay is implemented using the Anonymous Content API, which is a chrome-only API. A CanvasFrame layered on top of the current document.
The devtools highlighters are also implemented using this API, so the issue should also be present there.
Flags: needinfo?(mdeboer)
|
||
Comment 4•7 years ago
|
||
Mass-closing bugs that relate to legacy versions of add-ons or are otherwise no longer worth tracking. Please comment if you think this bug should be reopened.
Sorry for the bugspam. Made you look, though!
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
|
Assignee | |
Updated•6 years ago
|
Component: Add-ons → General
Product: Tech Evangelism → WebExtensions
You need to log in
before you can comment on or make changes to this bug.
Description
•