Skip to main content

Firefox and NoScript, and Clickjack Alerts

Surfing the web, with all of the potential dangers in surfing to any web site known and unknown, is an adventure. Some of us use Firefox with NoScript, which improves the odds in our favour ever so slightly, and helps us to enjoy the adventure. NoScript epitomises the Unix security principle "Deny by default, Permit by exception", and explicitly requires you to designate each newly surfed web site as trusted. If you're a Firefox / NoScript user, you may have recently noted a new feature in NoScript - "Clickjack Alerts" - which accentuates the adventure occasionally.

Some folks may have even seen a Clickjack Alert pop up when logging in to Blogger. Obviously, this doesn't provide us with a feeling of ease as we login. So, the question
Should I keep the "lock item" box checked, as NoScript recommends?
is to be expected.

I think the decision to leave locked, or to unlock, any script that we use often should be made on two bases.
  • Convenience.
  • Security.

Obviously, unlocking any frequently used script, such as the Blogger login, is better convenience. If you trust any often used script, you'll want to unlock it, or end up verifying each time you use it. As long as there's no chance that you're being lured to an imposter web site (which leaves very little chance that you'll be logging in to Blogger), unlock the scripts that you run repeatedly, such as the Blogger login.

Unlocking any frequently used script is better security too. If you leave any frequently used script locked, you'll get used to clicking "Accept" over and over, routinely. One day, when you surf to a dodgy web site and are given the clickjack alert, you'll click "Accept" there too. If you intentionally enable trusted scripts, when you surf to a dodgy web site and get a clickjack alert, it will stand out in your mind and you'll be less likely to Accept a genuine clickjack exploit.

So unlocking frequently used scripts, even though NoScript may consider them potential clickjack exploits, is good for both convenience and security. If you trust the script, unlock it. And when you get a clickjack alert, don't accept it unless you explicitly know that the web site is trustable.

>> Top


Unknown said…
I've had issues where merely clicking on a blank space to get focus back on the window has raised a ClickJack alert. I've been clickjacked exactly once (before they even had this in NoScript), and because of the "false positives", I've turned it off. I also yelled about it in a forum, but I don't recall any response to it. I haven't been clickjacked since either.

Popular posts from this blog

Adding A Link To Your Blog Post

Occasionally, you see a very odd, cryptic complaint I just added a link in my blog, but the link vanished! No, it wasn't your imagination.

What's The URL Of My Blog?

We see the plea for help, periodically I need the URL of my blog, so I can give it to my friends. Help! Who's buried in Grant's Tomb, after all? No Chuck, be polite. OK, OK. The title of this blog is "The Real Blogger Status", and the title of this post is "What's The URL Of My Blog?".

Add A Custom Redirect, If You Change A Post URL

When you rename a blog, the most that you can do, to keep the old URL useful, is to setup a stub post , with a clickable link to the new URL. Yo! The blog is now at!! Blogger forbids gateway blogs, and similar blog to blog redirections . When you rename a post, you can setup a custom redirect - and automatically redirect your readers to the post, under its new URL. You should take advantage of this option, if you change a post URL.