[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #20314 [Applications/Tor Browser]: Make SVG click-to-play and support fallback

Subject: Re: [tor-bugs] #20314 [Applications/Tor Browser]: Make SVG click-to-play and support fallback
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Sat, 07 Jan 2017 06:44:03 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 07 Jan 2017 01:44:17 -0500
In-reply-to: <048.a7df85da16fe75fa4a82df2ad83025df@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <048.a7df85da16fe75fa4a82df2ad83025df@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#20314: Make SVG click-to-play and support fallback
--------------------------------------+--------------------------
 Reporter:  bugzilla                  |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-usability             |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by cypherpunks):

 It's important to remember though that putting this in the domain of
 NoScript and making it click-to-play makes bypasses easier. Isn't it also
 a little silly to consider making SVG click-to-play shortly after a SVG
 vulnerability was used by the authorities against Tor Browse users, and
 shortly after a NoScript click-to-play bug was fixed (I think it was fixed
 at least) which caused videos to play for a split second even when they
 were disabled? It just seems shortsighted to me.

 There are already NoScript bypasses for JavaScript in the wild and being
 hoarded, so at the very least, I'd like to see the ability to completely
 disable SVG on the highest security setting, without having to resort to
 disabling it in about:config and potentially increasing the risk of
 fingerprinting.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20314#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #6762 [Metrics/Atlas]: Make Atlas more robust to inconsistent Onionoo replies
Next by Author: Re: [tor-bugs] #21103 [Applications/Tor Browser]: Update descriptors for sandboxed-tor-browser-0.0.3.
Previous by thread: Re: [tor-bugs] #21160 [Internal Services/Tor Sysadmin Team]: add linda to torextratpo group
Next by thread: Re: [tor-bugs] #16552 [Metrics/Onionoo]: Don't require searches by IPv6 address to start with [
Index(es):
- Author
- Thread