Opened 8 years ago

Last modified 3 years ago

#5288 new defect

Clickjacking + popups subvert TBB url-bar isolation

Reported by: mikeperry Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-linkability, tbb-firefox-patch
Cc: gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Right now, TBB treats popups as top-level content items (ie they are allowed to track you independently of their originating window). I think this is fine, because the Firefox popup blocker prevents popups from opening without an associated mouse click, and to me, mouse clicks indicate consent to visit a page and to establish a relationship with that page.

However, clickjacking probably ruins that model, in that it can cause popups to launch for tracking content whenever the user clicks *anywhere* on a page.

We include NoScript, which has some clickjacking protection.. But is it enough? Is it still functional if you have Javascript fully enabled? We should spend some time investigating current clickjacking techniques to see what is still possible these days.

Child Tickets

Change History (6)

comment:1 Changed 8 years ago by gk

Cc: g.koppen@… added

comment:2 Changed 7 years ago by mikeperry

Keywords: tbb-linkability added

comment:3 Changed 5 years ago by erinn

Keywords: tbb-firefox-patch added

comment:4 Changed 5 years ago by erinn

Component: Firefox Patch IssuesTor Browser
Owner: changed from mikeperry to tbb-team

comment:5 Changed 3 years ago by bugzilla

Milestone: TorBrowserBundle 2.3.x-stable
Severity: Normal

Maybe, TBB should ask user whether he allows new tab/window to violate first-party isolation...

comment:6 Changed 3 years ago by gk

Cc: gk added; g.koppen@… removed
Note: See TracTickets for help on using tickets.