Skip to main content

Firefox and NoScript, and Clickjack Alerts

Surfing the web, with all of the potential dangers in surfing to any web site known and unknown, is an adventure. Some of us use Firefox with NoScript, which improves the odds in our favour ever so slightly, and helps us to enjoy the adventure. NoScript epitomises the Unix security principle "Deny by default, Permit by exception", and explicitly requires you to designate each newly surfed web site as trusted. If you're a Firefox / NoScript user, you may have recently noted a new feature in NoScript - "Clickjack Alerts" - which accentuates the adventure occasionally.

Some folks may have even seen a Clickjack Alert pop up when logging in to Blogger. Obviously, this doesn't provide us with a feeling of ease as we login. So, the question
Should I keep the "lock item" box checked, as NoScript recommends?
is to be expected.

I think the decision to leave locked, or to unlock, any script that we use often should be made on two bases.
  • Convenience.
  • Security.


Obviously, unlocking any frequently used script, such as the Blogger login, is better convenience. If you trust any often used script, you'll want to unlock it, or end up verifying each time you use it. As long as there's no chance that you're being lured to an imposter web site (which leaves very little chance that you'll be logging in to Blogger), unlock the scripts that you run repeatedly, such as the Blogger login.

Unlocking any frequently used script is better security too. If you leave any frequently used script locked, you'll get used to clicking "Accept" over and over, routinely. One day, when you surf to a dodgy web site and are given the clickjack alert, you'll click "Accept" there too. If you intentionally enable trusted scripts, when you surf to a dodgy web site and get a clickjack alert, it will stand out in your mind and you'll be less likely to Accept a genuine clickjack exploit.

So unlocking frequently used scripts, even though NoScript may consider them potential clickjack exploits, is good for both convenience and security. If you trust the script, unlock it. And when you get a clickjack alert, don't accept it unless you explicitly know that the web site is trustable.

>> Top

Comments

bytehead said…
I've had issues where merely clicking on a blank space to get focus back on the window has raised a ClickJack alert. I've been clickjacked exactly once (before they even had this in NoScript), and because of the "false positives", I've turned it off. I also yelled about it in a forum, but I don't recall any response to it. I haven't been clickjacked since either.

Popular posts from this blog

Custom Domain Migration - Managing The Traffic

Your blog depends upon traffic for its success.

Anything that affects the traffic to your blog, such as any change in the URL, affects the success of your blog. Publishing the blog to a custom domain, like renaming the blog, will affect traffic to your blog. The effects of the change will vary from blog to blog, because of the different traffic to every different blog.Followers. People who find your blog because of recommendations by other people.Search engines. Robotic processes which methodically surf your blog, and provide dynamic indexing to people who search for information.Subscribers. People who read your content from their newsfeed reader, such as the dashboard Reading List.Viewers. People who read your content from their browser.No two blogs are the same - and no two blogs will have the same combinations of traffic sources.

Stats Components Are Significant, In Their Own Context

One popular Stats related accessory, which displays pageview information to the public, is the "Popular Posts" gadget.

Popular Posts identifies from 1 to 10 of the most popular posts in the blog, by comparing Stats pageview counts. Optional parts of the display of each post are a snippet of text, and an ever popular thumbnail photo.

Like many Stats features, blog owners have found imaginative uses for "Popular Posts" - and overlook the limitations of the gadget. Both the dynamic nature of Stats, and the timing of the various pageview count recalculations, create confusion, when Popular Posts is examined.