User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1) Gecko/20090806 Namoroka/3.6a1 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1) Gecko/20090806 Namoroka/3.6a1 (.NET CLR 3.5.30729) I was making something and had a idea. I was seeing if i could make a clickjacker. It was successful. Reproducible: Always Steps to Reproduce: Open notepad Type the following HTML code in it: <a href="http://www.google.com" onClick="return false;" onMouseUp="document.location = 'http://www.aol.com'"><img src="http://supersquirl.oxyhost.com/pix.bmp" style="position:absolute;left:5px;top:7px;height:19px;width:40px;opacity:0.0;filter:alpha(opacity=0);cursor:pointer;"></a> <a href="http://www.google.com">google</a> Save as clickjack.html Open clickjack.html It looks like your going to google. But you get sent to AOL. Actual Results: I get sent to AOL instead of Google Expected Results: Going to Google. They can use the A tag for onMouseOver status setting since onMouseOver setting status won't work. Please fix this!

Wait---the script is messed up. Copy the attatched file and paste it on this site: http://www.w3schools.com/HTML/tryit.asp?filename=tryhtml_basic

Real clickjacking is bug 457011, this one is one of the oldest tricks in the book (you're 10 years late). Bug 229050 can possible protect against it.