

Mark Pilgrim on clickjacking browser vulnerability - ash
http://blog.whatwg.org/this-week-in-html-5-episode-7

======
ash
The best part:

Ironically, the best example of "clickjacking" is the download page for the
NoScript extension, which uses it for good rather than evil. Thanks to some
fancy JavaScript (search for "installer"), Giorgio embeds the
addons.mozilla.org download page for NoScript in an IFRAME on his own page on
noscript.net, sets the IFRAME to "opacity:0" (an attack vector that Robert
O'Callahan specifically warned about), scrolls the embedded addons.mozilla.org
page to the top corner of its "Add to Firefox" button, and sets the z-index of
the IFRAME to 100. Thus, the IFRAME is floating (due to "z-index:100")
invisibly (due to "opacity:0") over Giorgio's own "Install Now" button (due to
the positioning of the IFRAME element itself). When you think you're clicking
the button on noscript.net you are actually clicking the button on
addons.mozilla.org. What's the difference? By default, Firefox treats
addons.mozilla.org as a trusted download site, so it immediately pops up the
extension installation dialog instead of blocking the installation with an
infobar saying "Firefox prevented this site (noscript.net) from installing
software on your computer." From a user experience standpoint, this is great
-- one less click to download and install an extension. From a security
standpoint, this is incredibly scary -- the end user has no idea they're
interacting with a third-party site.

