Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed) Reporter
	Description • 11 years ago

I'm not sure if this is new to the recent overhaul of the Click to Play mechanism or if this has been happening since the feature started, (I only turned on Click to Play recently, so I never used it before the overhaul) but every single time I click on the CtP interface, NoScript warns me that this could be a clickjacking attempt.

Steps to Reproduce:
Install and enable NoScript. (I'm on version 2.6.6.6, if that matters.)

Enable click to play for the Flash plugin in the addon manager (Set it to Ask to Activate).

Visit any video on youtube that doesn't default to HTML5 video ( http://www.youtube.com/watch?v=RyJFB4qzgzo seems to work for me).

Click in the space where the video should be to trigger CtP.


At this point, NoScript will pop up a warning about a potential clickjacking attempt. If you uncheck the "Keep this element locked" checkbox and then click the OK button, you'll go back to the youtube page, and you will need to re-click the CtP overlay to trigger the request to enable the plugin.

At this point, the video should start loading and play.




IMO, CtP shouldn't get caught by NoScript's clickjacking protection, since it's part of the browser. Not sure if this is a CtP bug or something to be fixed on NoScript's side. Filing in evangelism for now, I guess.

	Nils Maier [:nmaier]
	Comment 1 • 11 years ago

CC'ing add-on author

	Giorgio Maone [:ma1]
	Comment 2 • 11 years ago

(In reply to Nils Maier [:nmaier] from comment #1)
> CC'ing add-on author

Fixed in 2.6.6.7 ( http://noscript.net/getit#direct ).

Nils, could you please fast-track the review (this fix being the only change)?
https://addons.mozilla.org/en-US/editors/review/noscript

	Nils Maier [:nmaier]
	Comment 3 • 11 years ago

JFYI, wasn't able to reproduce this in Firefox Stable. But was able to reproduce this in Nightly.

Verified this is fixed and works with both, Stable and Nightly, and NoScript 2.6.6.7.
Pushed 2.6.6.7 public on AMO.