A couple of days now Microsoft has published their anti-clickjacking solution on their website,
and last year they shared this proposed solution with other browser builders.
It is a meta tag solution
Metatag: X-FRAME-OPTIONS
Values
DENY (page cannot be rendered in frame)
SAMEORIGIN (page can be in a frame when this is a frame from pages of the same subdomain)
Is this solution full proof? Is its implementation also coming to Fx and Flock?
Is this IE8 solution the final answer to the problem?
I for one have put my cards on the protection of NoScript in Fx or Flock.
Just a while and I fill you in with the views of the experts?
With this implementation browser developers are dependent on webmasters following these standards, so NoScript in Fx is a much better global solution. Read about the shortcomings of IE8 here (etc.): http://blog.wired.com/business/2009/01/why-ie8s-clickj.html
You have to enable it, go to NoScript click Options, then click PlugIns then tag and set Clearclick protection on pages to untrusted…
Better this then to wait for all webmasters to apply the IE8 proposal, there users are dependent on third party application and it is out of the hand of the user…
I lnow how to do it, just pointing out for those who might be following this and thinking they are protected when they aren’t unless they enable that option in noscript.
That’s not correct. ClearClick protection is enabled by default on both untrusted and trusted pages. You can verify this by clicking the Reset button in the NoScript Options. (This also resets to the default whitelist, so you should Export your whitelist before resetting the NoScript options.)
Thank you for pointing out that user have this as by default protection through installing and enabling NoScript inside their Fx or Flock browsers. I haven’t seen a script-like vulnerability NoScript did not protect against. And yes minor things you can adjust like protection against webbugs, and for privacy reasons I also combine the general protection of NoScript with that of RequestPolicy selectively.
I am fully convinced that if all users used NoScript inside Fx the average malcreant to-night would lay awake or had a bad dream, and we would be a whole lot more secure, and if the profilers and the secret sneaky ad-& clickstream webtrackers had not protested against this form of protection NoScript would be standard as by default inside every browser on earth,
Ha, ha, David, I can relate to that. Avast! doesn’t bother even warning me about that particular infection anymore.
IIRC, the first release of NoScript with clickjacking protection was enabled for only untrusted sites by default. We had to check the trusted box to extend the protection to trusted sites too. The default value was extended to trusted sites soon thereafter. Since then, NoScript has provided clickjacking protection for all sites by default, even when scripts are Allowed Globally (not recommended).