In response to my story earlier on the cross-browser Clickjacking exploit/threat, I received the following e-mail from Giorgio Maone, creator of the popular Firefox NoScript plug-in:Hi Ryan,I've seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].
I've seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].
I had access to detailed information about how this attack works and I can tell you the following:
It's really scary
NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) -- see this comment by Jeremiah Grossman himself.
For 100% protection by NoScript, you need to check the "Plugins|Forbid <IFRAME>" option.
I also received private confirmation from a high-level source at an affected vendor about the true severity of this issue. In a nutshell, I was told that it's indeed "very, freaking scary" and "near impossible" to fix properly.