Skip to main content

Firefox and NoScript, and Clickjack Alerts

Surfing the web, with all of the potential dangers in surfing to any web site known and unknown, is an adventure. Some of us use Firefox with NoScript, which improves the odds in our favour ever so slightly, and helps us to enjoy the adventure. NoScript epitomises the Unix security principle "Deny by default, Permit by exception", and explicitly requires you to designate each newly surfed web site as trusted. If you're a Firefox / NoScript user, you may have recently noted a new feature in NoScript - "Clickjack Alerts" - which accentuates the adventure occasionally.

Some folks may have even seen a Clickjack Alert pop up when logging in to Blogger. Obviously, this doesn't provide us with a feeling of ease as we login. So, the question
Should I keep the "lock item" box checked, as NoScript recommends?
is to be expected.

I think the decision to leave locked, or to unlock, any script that we use often should be made on two bases.
  • Convenience.
  • Security.


Obviously, unlocking any frequently used script, such as the Blogger login, is better convenience. If you trust any often used script, you'll want to unlock it, or end up verifying each time you use it. As long as there's no chance that you're being lured to an imposter web site (which leaves very little chance that you'll be logging in to Blogger), unlock the scripts that you run repeatedly, such as the Blogger login.

Unlocking any frequently used script is better security too. If you leave any frequently used script locked, you'll get used to clicking "Accept" over and over, routinely. One day, when you surf to a dodgy web site and are given the clickjack alert, you'll click "Accept" there too. If you intentionally enable trusted scripts, when you surf to a dodgy web site and get a clickjack alert, it will stand out in your mind and you'll be less likely to Accept a genuine clickjack exploit.

So unlocking frequently used scripts, even though NoScript may consider them potential clickjack exploits, is good for both convenience and security. If you trust the script, unlock it. And when you get a clickjack alert, don't accept it unless you explicitly know that the web site is trustable.

>> Top

Comments

Unknown said…
I've had issues where merely clicking on a blank space to get focus back on the window has raised a ClickJack alert. I've been clickjacked exactly once (before they even had this in NoScript), and because of the "false positives", I've turned it off. I also yelled about it in a forum, but I don't recall any response to it. I haven't been clickjacked since either.

Popular posts from this blog

Adding A Link To Your Blog Post

Occasionally, you see a very odd, cryptic complaint I just added a link in my blog, but the link vanished! No, it wasn't your imagination.

Embedded Comments And Main Page View

The option to display comments, embedded below the post, was made a blog option relatively recently. This was a long requested feature - and many bloggers added it to their blogs, as soon as the option was presented to us. Some blog owners like this feature so much, that they request it to be visible when the blog is opened, in main page view. I would like all comments, and the comment form, to be shown underneath the relevant post, automatically, for everyone to read without clicking on the number of comments link. And this is not how embedded comments work.

What's The URL Of My Blog?

We see the plea for help, periodically I need the URL of my blog, so I can give it to my friends. Help! Who's buried in Grant's Tomb, after all? No Chuck, be polite. OK, OK. The title of this blog is "The Real Blogger Status", and the title of this post is "What's The URL Of My Blog?".