STR: 1. Starting with a fresh profile (optional) in Firefox Nightly, install latest version of NoScript development build from http://noscript.net/getit 2. Restart Firefox to complete installation. 3. Visit https://treeherder.mozilla.org/logviewer.html#?repo=mozilla-central&job_id=80272385&lineNumber=9341 4. Use NoScript UI to allow scripts from mozilla.org and then from taskcluster.github.io, so that the page actually loads. 5. Click any instance of the word "REFTEST" in the log text (just an example). --> Note that nothing bad happens. 6. Ctrl+F to open Find-in-Page, and type "a". --> The page darkens. 7. Click the same "REFTEST" text that you clicked before. ACTUAL RESULTS: Scary NoScript popup about ClickJacking. EXPECTED RESULTS: No such scary popup.
Created attachment 8841796 [details] screencast of bug Giorgio, is there a way to make NoScript & the modal find-in-page overlay play nicely together so that this ClickJacking dialog doesn't appear? (via changes on one end or the other) I don't actually know how the overlay works, but I think mikedeboer (CC'd) does.
Thanks for the report, Daniel. I could reproduce it, but I could not figure out how this overlay is implemented (I couldn't find any trace of it in the top frame's DOM) and, most importantly, since it's not in the content DOM (or at least accessible from there) why it gets captured by canvas.context2d.drawWindow(), causing a difference between how the embedded frame would be displayed if it was on top (white, with no overlay) and how the same region is actually rendered by drawWindow() called on the top frame. I think help from mikedeboer or whoever implemented this modal thing is actually required, thank you.
Flags: needinfo?(g.maone) → needinfo?(mdeboer)
The overlay is implemented using the Anonymous Content API, which is a chrome-only API. A CanvasFrame layered on top of the current document. The devtools highlighters are also implemented using this API, so the issue should also be present there.
You need to log in before you can comment on or make changes to this bug.