Firefox: Prevent tabnapping

There’s a new anti-tabnapping feature in NoScript, the Firefox browser add-on.  It’s not exactly straight forward to enable…(from the Security Now podcast)

I learned via Twitter from Alejandro, whose twit handle is @microtwit32, that NoScript, the favorite script blocker for Firefox, quietly added support for tabnabbing. We talked about tabnabbing last week or the week before. Remember that that’s an interesting exploit where pages that you’re not viewing currently, for example in Firefox, can be changed in a way that, if you went back to the page, it could easily fool you to believe that your eBay session had timed out, or Google Mail session had timed out, or something saying, oh, please, reauthenticate. The idea being that the page changes when it’s not the tab on top, so you’re not viewing the page at the time, don’t notice that it changed from something completely different to something that is spoofing one of the services that you are using.

It turns out that scripting is powerful enough now to allow a probing of the services you do use so that a sufficiently sophisticated script could figure out what it is that, like, what banking site you tend to use, and present something convincing on the tab that you’re not viewing. So when you switch back to that, it’s like, oh, look, my banking site says I need to log in again. So what our NoScript author did at v1.9.9.81 and since – I went back and looked through the update and feature notes. He quietly added a new option which is not – it does not surface to the level of the user interface. So it’s not a button you can click on the UI. But if you go, if you put into the Firefox browser’s URL field “about:config” and hit Enter, that will take you to a huge page of alphabetically sorted security and UI and every kind of option under the sun that basically governs in great granular detail the way Firefox operates.

The item you’re looking for is noscript.forbidBGRefresh, as in background refresh. So again, it’s noscript.forbidBGRefresh. Now, that can have a value of 0, 1, 2, or 3. 0 is no change of behavior at all, no blocking of background page refresh changes. 1, which is the default mine had been set to, blocks refreshes on untrusted, unfocused tabs only. Now, trust and untrust is relative to NoScript, that is, have you said that you trust this page, like, for example, or not. The setting of 2 blocks refreshes on trusted, unfocused tabs. I don’t know why you would choose that because it doesn’t block them on untrusted tabs. But setting 3 blocks them on both trusted and untrusted tabs.

And I changed mine to 3 because I can’t really see a valid reason why, whether I trust a site or not, if I’m not looking at the page, I don’t think it needs to change what I’m not seeing. And in fact I’ve noticed that I’m sometimes distracted when I notice a page that I’m not looking at is changing, is, like, refreshing. Some script timer timed out, and it’s changing the ads on the page, or it’s refreshing the whole page in order to get new content or something. Well, I’d just rather not have it do that behind the scenes. So I like the fact that NoScript now lets us prevent any nonfocused page from changing itself. Seems like a useful thing to do.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s