[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #22067 [Applications/Tor Browser]: NoScript Click-to-Play bypass

Subject: [tor-bugs] #22067 [Applications/Tor Browser]: NoScript Click-to-Play bypass
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Wed, 26 Apr 2017 05:04:44 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 26 Apr 2017 01:04:54 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#22067: NoScript Click-to-Play bypass
------------------------------------------+----------------------
     Reporter:  samantharis               |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  High                      |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Major                     |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+----------------------
 Noscript does not block .webm playback on tor hidden services but plays
 them first and then blocks them after.


 Example:

 If you go to http://alokalaou53jmgum.onion/b/50927 and click on the
 'homer-simpson webm' it will start playing directly after being clicked on
 even though Tor Browser is set to high security slider and this in 9/10
 times.

 Whereas if you open it directly it will block it 9/10 times.

 http://alokalaou53jmgum.onion/src/M9Xjl/1486923637894.webm


 This is present in at least Tor Browser 6.5.1 and 6.5.2 and probably on
 even older versions leaving users potentially in danger if it where to be
 a malicious .webm by not blocking it

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22067>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #22067 [Applications/Tor Browser]: NoScript Click-to-Play bypass with embedded videos (was: NoScript Click-to-Play bypass)
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #22067 [Applications/Tor Browser]: NoScript Click-to-Play bypass with embedded videos and audios (was: NoScript Click-to-Play bypass with embedded videos)
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #22067 [Applications/Tor Browser]: NoScript Click-to-Play bypass with embedded videos
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #22067 [Applications/Tor Browser]: NoScript Click-to-Play bypass with embedded videos
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #21851 [Applications/Tor Browser]: Revert some of #18915 changes (was: Revert some of #18195 changes)
Next by Author: Re: [tor-bugs] #19783 [Applications/Tor Browser]: Typo in build helpers: `MAXOSX_DEPLOYEMENT_TARGET`
Previous by thread: Re: [tor-bugs] #21117 [Core Tor/Tor]: can't migrate onion services to single-hop onion services
Next by thread: Re: [tor-bugs] #22067 [Applications/Tor Browser]: NoScript Click-to-Play bypass with embedded videos (was: NoScript Click-to-Play bypass)
Index(es):
- Author
- Thread