Skip to main content

Firefox and NoScript, and Clickjack Alerts

Surfing the web, with all of the potential dangers in surfing to any web site known and unknown, is an adventure. Some of us use Firefox with NoScript, which improves the odds in our favour ever so slightly, and helps us to enjoy the adventure. NoScript epitomises the Unix security principle "Deny by default, Permit by exception", and explicitly requires you to designate each newly surfed web site as trusted. If you're a Firefox / NoScript user, you may have recently noted a new feature in NoScript - "Clickjack Alerts" - which accentuates the adventure occasionally.

Some folks may have even seen a Clickjack Alert pop up when logging in to Blogger. Obviously, this doesn't provide us with a feeling of ease as we login. So, the question
Should I keep the "lock item" box checked, as NoScript recommends?
is to be expected.

I think the decision to leave locked, or to unlock, any script that we use often should be made on two bases.
  • Convenience.
  • Security.

Obviously, unlocking any frequently used script, such as the Blogger login, is better convenience. If you trust any often used script, you'll want to unlock it, or end up verifying each time you use it. As long as there's no chance that you're being lured to an imposter web site (which leaves very little chance that you'll be logging in to Blogger), unlock the scripts that you run repeatedly, such as the Blogger login.

Unlocking any frequently used script is better security too. If you leave any frequently used script locked, you'll get used to clicking "Accept" over and over, routinely. One day, when you surf to a dodgy web site and are given the clickjack alert, you'll click "Accept" there too. If you intentionally enable trusted scripts, when you surf to a dodgy web site and get a clickjack alert, it will stand out in your mind and you'll be less likely to Accept a genuine clickjack exploit.

So unlocking frequently used scripts, even though NoScript may consider them potential clickjack exploits, is good for both convenience and security. If you trust the script, unlock it. And when you get a clickjack alert, don't accept it unless you explicitly know that the web site is trustable.

>> Top


Unknown said…
I've had issues where merely clicking on a blank space to get focus back on the window has raised a ClickJack alert. I've been clickjacked exactly once (before they even had this in NoScript), and because of the "false positives", I've turned it off. I also yelled about it in a forum, but I don't recall any response to it. I haven't been clickjacked since either.

Popular posts from this blog

What's The URL Of My Blog?

We see the plea for help, periodicallyI need the URL of my blog, so I can give it to my friends. Help!Who's buried in Grant's Tomb, after all?No Chuck, be polite.OK, OK. The title of this blog is "The Real Blogger Status", and the title of this post is "What's The URL Of My Blog?".

Leave Comments Here

Like any blogger, I appreciate polite comments, when they are relevant to the blog, and posted to the relevant article in the right blog. If you want to ask me a question thats relevant to blogging, but you can't find the right post to start with (I haven't written about everything blogger related, yet, nor the way things are going I don't expect to either), ask your questions here, or leave an entry in my guestbook.

As noted above, please note my commenting policy. If you post a comment to this post, I will probably treat it as a "Contact Me" post. If you have an issue that's relevant to any technical issue in the blog, please leave a comment on the specific post, not here. This post is for general comments, and for non posted contact to me.

If the form below does not work for you, check your third party cookies setting!

For actual technical issues, note that peer support in Blogger Help Forum: Something Is Broken, or Nitecruzr Dot Net - Blogging is, almos…

What Is "" vs. ""?

With Google Domains registered custom domains becoming more normal, we are seeing one odd attention to detail, expressed as confusion in Blogger Help Forum: Learn More About Blogger.My website uses "" - am I supposed to use "", instead?It's good to be attentive to detail, particularly with custom domain publishing. This is one detail that may not require immediate attention, however.