[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #19200 [Applications/Tor Browser]: HTML5 video not blocked with placeholder, plays automatically
#19200: HTML5 video not blocked with placeholder, plays automatically
-------------------------------------+-------------------------------------
Reporter: potato | Owner: tbb-team
Type: defect | Status: new
Priority: Very High | Milestone:
Component: Applications/Tor | Version:
Browser | Keywords: 6.0a5, video, media,
Severity: Major | mse, mediasource, noscript,
Actual Points: | placeholder
Points: | Parent ID:
Sponsor: | Reviewer:
-------------------------------------+-------------------------------------
In Tor Browser 6.0a5, with security level set at Medium-Low or higher,
HTML5 video that uses media source extensions (MSE) is able to load and
play automatically, without being blocked by a click-to-play NoScript
placeholder. The policy for the Medium-Low, Medium-High, and High security
levels states that "HTML5 video and audio media become click-to-play via
NoScript," but this bug breaks that security policy by allowing HTML5 MSE
media to play unobstructed. The browser's attack surface may be increased
due to exposure to this media.
I've tested on both OS X and Tails 2.4~rc1. The bug exists on both
platforms. On OS X, I tested with a clean install of Tor Browser.
Regular HTML5 video that does not use MSE is unaffected by this bug and
gets placeholder-blocked properly.
== Expected result: ==
HTML5 MSE video should not be allowed to play automatically in security
level Medium-Low or higher, it should be replaced with a click-to-play
placeholder by NoScript to block it until the user either clicks the
placeholder or uses the NoScript toolbar button to allow it. This was the
behavior in Tor Browser 5.5.5 and earlier.
== Steps to reproduce: ==
1. Click the Torbutton icon in the browser toolbar, select "Privacy and
Security Settings..." and choose Medium-Low, Medium-High, or High security
level.
2. Go to a site that has MSE video, such as any YouTube video, eg:
https://www.youtube.com/watch?v=T07gkTc5Fcc
3. If Tor Browser is in High security mode, then allow scripts on the page
via the NoScript toolbar button option "Temporarily allow all this page."
4. The video will start playing automatically. There is no NoScript
placeholder that you click to start the video, it just starts playing.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19200>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs