7

On some of my workstations I never allow Javascript in Firefox. The NoScript addon is installed on these machines, but I would like to remove it and disable Javascript via about:config instead. However, it seems that NoScript also protects against clickjacking and to my knowledge Javascript is NOT required for this attack to be successful.

What can I do to be protected against clickjacking in Firefox, without installing any addons?

EDIT:

I'm looking for a solution that DO NOT require installing addons, but can be configured in about:config

user83098
  • 73
  • 5
  • Clickjacking requires the website to contain more than one frame to be allowed. Unfortunatley I don't think that this can be configured in about:config. The only thing that I know about is server side that you can send a special header to disallow extra frames but that does not apply to your client side problem – John Aug 10 '15 at 17:29

1 Answers1

3

Firefox doesn't have an option to turn of iframes in about:config, see this bug report. It's also not that likely that it will get that option anytime soon, seeing that this issue was first reported 15 years ago.

You could disable iframes without plugins by using custom CSS (iframe { display: none !important; }). This would be done via an CSS file in /~/.mozilla/firefox/<random-id>.default/chrome/userContent.css. This setting should not be overwritable via a websites CSS (but future Firefox versions might of course allow a website to overwrite custom CSS, which would allow an attacker to bypass this).

ClickJacking should not be possible without iframes (although there might possibly be a way via the embed tag, but it didn't work for me).

Personally, I would probably trust NoScript more than this approach, but if you definitely do not want to install plugins, this might be the best way to do it.

tim
  • 29,018
  • 7
  • 95
  • 119
  • If that's the case then the CSS solution seems to be what I'm looking for. I don't know much about clickjacking, I just read somewhere that it could be done without Javascript enabled. Do you know what kind of damage can be done with clickjacking when Javascript is disabled? I'm thinking that it is much reduced compared to if Javascript is enabled? – user83098 Aug 11 '15 at 22:56
  • 1
    @user83098 Yes, JavaScript is not needed for clickjacking at all (although it's easier if JavaScript is enabled, because it eg allows an attacker to move the target with the mouse, meaning the victim may click anywhere). Of course, some web functionality is broken without JavaScript, so the attack surface for clickjacking is reduced without it. Combined attacks such as clickjacking + XSS are now also not possible. But the basic attack - getting a victim to click something they didn't mean to click - still exists. – tim Aug 12 '15 at 06:46