[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #22067 [Applications/Tor Browser]: NoScript Click-to-Play bypass
#22067: NoScript Click-to-Play bypass
------------------------------------------+----------------------
Reporter: samantharis | Owner: tbb-team
Type: defect | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+----------------------
Noscript does not block .webm playback on tor hidden services but plays
them first and then blocks them after.
Example:
If you go to http://alokalaou53jmgum.onion/b/50927 and click on the
'homer-simpson webm' it will start playing directly after being clicked on
even though Tor Browser is set to high security slider and this in 9/10
times.
Whereas if you open it directly it will block it 9/10 times.
http://alokalaou53jmgum.onion/src/M9Xjl/1486923637894.webm
This is present in at least Tor Browser 6.5.1 and 6.5.2 and probably on
even older versions leaving users potentially in danger if it where to be
a malicious .webm by not blocking it
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22067>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs