[tbb-bugs] #19200 [Applications/Tor Browser]: HTML5 video not blocked with placeholder, plays automatically

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Jul 18 17:12:52 UTC 2016 

#19200: HTML5 video not blocked with placeholder, plays automatically
-------------------------------------------------+-------------------------
 Reporter:  potato                               |          Owner:  tbb-
     Type:  defect                               |  team
 Priority:  High                                 |         Status:
Component:  Applications/Tor Browser             |  needs_revision
 Severity:  Major                                |      Milestone:
 Keywords:  tbb-security-slider,                 |        Version:
  tbb-6.0-issues, GeorgKoppen201607,             |     Resolution:
  TorBrowserTeam201607                           |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by ma1):

 Mediasource is quite a hairy problem.

 The reason why ClickToPlay cannot work the way it does for "normal" videos
 is because there's no general way to identify the actual origin of the
 stream that is going to be played: in facts, the data can be generated on
 the fly by JavaScript code on the page and can actually come from anywhere
 (XMLHttpRequest, fetch(), random numbers, images whose bits are read using
 the canvas API, user input, whatever).

 Therefore the only meaningful "subject of trust" can be '''page''''s
 origin: trying to put individual mediasource elements behind ClickToPlay
 is impossible (since the data is fetched and/or assembled by scripts, you
 are required to reload the page upon placeholder activation, and the
 identity of the element to be activated is usually lost, since it's not
 bound to any persistent unique URL); furthermore, I doubt it's even useful
 from a security standpoint, since you cannot actually tell one instance
 from the other.

 The only partial work around I can think of is to implement a "special
 case" ClickToPlay for MSE, activating all the elements of a certain page
 if any placeholder gets clicked (the key would be page's URL, rather than
 the non-existent "media URL", and a page reload would occur). Would that
 work for you?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19200#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list