[danShumway]

This is a really well written article.

I recall a video talking explicitly about this problem - it was something about using the browser paint API in conjunction with iframes for security? The gist was a browser should be able to tell in real time if an iframe is visible and should be able to block user input depending on whether or not the site was hiding the iframe, putting something on top of it, pushing it off screen, moving it around, etc...

But I can't remember the source. If I can find it, I'll add it in an edit. And of course if anyone else knows the talk I'm thinking of, please link.

[icebraining]

NoScript includes protection against this! He calls it ClearClick:

" whenever you click or otherwise interact, through your mouse or your keyboard, with an embedded element which is partially obstructed, transparent or otherwise disguised, NoScript prevents the interaction from completing and reveals you the real thing in "clear". At that point you can evaluate if the click target was actually the intended one, and decide if keeping it locked or unlock it for free interaction."

https://hackademix.net/2008/10/08/hello-clearclick-goodbye-c...

[FiveDegrees]

Is it Dan Kaminsky's DefCon 23 talk?

https://m.youtube.com/watch?v=9wx2TnaRSGs

https://dankaminsky.com/2015/08/09/defcon-23-lets-end-clickj...

[danShumway]

Yes it is. My goodness, this is one of the best things about HN.

[sundvor]

Yep, very good.

It certainly makes me glad I did _this_ on my FB account:

>> You previously turned off platform apps, websites and plug-ins. To use this feature, you need to turn them back on, which also resets your Apps others use settings to their default settings. <<

.. but further to that, I should take my FB login and stick it in a Firefox container where it belongs.