0-Day Clickjacking Protection Overview (Legacy)
Our extension employs multiple independent techniques to safeguard users against clickjacking attacks. These measures are designed to ensure that form fields are both secure and accurately represented on the page.
Written by Owen Parry
Updated at April 17th, 2026
Table of Contents
DOM-based extension clickjacking is a stealthy attack method that exploits the browser's Document Object Model (DOM) to invisibly overlay malicious elements on top of legitimate extension interfaces—particularly those of password managers. By manipulating the DOM, attackers can trick users into unknowingly clicking on hidden UI components, such as autofill buttons or credential fields, thereby exfiltrating sensitive data like usernames, passwords, TOTP codes, and credit card information. These attacks are especially dangerous because they can occur with just a single click on a compromised webpage. This threat is mitigated by Password Boss by using the following techniques:
Key Security Features
-
Input Field Validation
- The extension continuously monitors and evaluates each input field on the page.
-
It checks several parameters to determine whether a field is truly visible and safe to interact with:
-
Effective Opacity & Visibility: Assesses both the field and its parent elements up to the
<body>tag. - Field Size: Ignores fields that are too small to be considered visible.
- Font Size: Enforces a minimum font size of 8px to prevent deceptive rendering.
-
Z-Index & Overlapping: Ensures that other elements do not obscure input fields.
-
Effective Opacity & Visibility: Assesses both the field and its parent elements up to the
-
Secure Item Display
-
The extension always displays a list of secure items for the top-level page, even if the form is embedded within an iframe.
-
The extension always displays a list of secure items for the top-level page, even if the form is embedded within an iframe.
-
Iframe Restrictions
-
Autologin is disabled for any form located inside an iframe, preventing unauthorized access or manipulation.
-
Autologin is disabled for any form located inside an iframe, preventing unauthorized access or manipulation.
-
Safe Popover Rendering
- Popovers and in-page dialogs are rendered using an embedded page, similar to other extensions.
- If a malicious site attempts to inject this embedded page, it will only display default content and will not contain the necessary components to trigger form filling.
Ongoing Improvements
We are actively working on additional enhancements to strengthen security further by:
- Detecting opacity changes triggered by CSS animations.
- Blocking unauthorized iframe embedding of the extension’s interface.
Updated 8/27/2025