NoScript reports a ClickJacking warning, for clicks through Modal Find-In-Page's dark overlay

RESOLVED WONTFIX

Status

RESOLVED WONTFIX
2 years ago
9 months ago

People

(Reporter: dholbert, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

STR:
 1. Starting with a fresh profile (optional) in Firefox Nightly, install latest version of NoScript development build from http://noscript.net/getit
 2. Restart Firefox to complete installation.
 3. Visit https://treeherder.mozilla.org/logviewer.html#?repo=mozilla-central&job_id=80272385&lineNumber=9341
 4. Use NoScript UI to allow scripts from mozilla.org and then from taskcluster.github.io, so that the page actually loads.
 5. Click any instance of the word "REFTEST" in the log text (just an example).
  --> Note that nothing bad happens.
 6. Ctrl+F to open Find-in-Page, and type "a".
  --> The page darkens.
 7. Click the same "REFTEST" text that you clicked before.

ACTUAL RESULTS:
Scary NoScript popup about ClickJacking.

EXPECTED RESULTS:
No such scary popup.
Created attachment 8841796 [details]
screencast of bug

Giorgio, is there a way to make NoScript & the modal find-in-page overlay play nicely together so that this ClickJacking dialog doesn't appear?  (via changes on one end or the other)

I don't actually know how the overlay works, but I think mikedeboer (CC'd) does.
Flags: needinfo?(g.maone)

Comment 2

2 years ago
Thanks for the report, Daniel. I could reproduce it, but I could not figure out how this overlay is implemented (I couldn't find any trace of it in the top frame's DOM) and, most importantly, since it's not in the content DOM (or at least accessible from there) why it gets captured by canvas.context2d.drawWindow(), causing a difference between how the embedded frame would be displayed if it was on top (white, with no overlay) and how the same region is actually rendered by drawWindow() called on the top frame.

I think help from mikedeboer or whoever implemented this modal thing is actually required, thank you.
Flags: needinfo?(g.maone) → needinfo?(mdeboer)
The overlay is implemented using the Anonymous Content API, which is a chrome-only API. A CanvasFrame layered on top of the current document.
The devtools highlighters are also implemented using this API, so the issue should also be present there.
Flags: needinfo?(mdeboer)
Mass-closing bugs that relate to legacy versions of add-ons or are otherwise no longer worth tracking. Please comment if you think this bug should be reopened.

Sorry for the bugspam. Made you look, though!
Status: NEW → RESOLVED
Last Resolved: 9 months ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.