[tbb-bugs] #19200 [Applications/Tor Browser]: HTML5 video not blocked with placeholder, plays automatically
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Nov 17 18:33:57 UTC 2016
#19200: HTML5 video not blocked with placeholder, plays automatically
-------------------------------------------------+-------------------------
Reporter: potato | Owner: tbb-
| team
Type: defect | Status:
| needs_information
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: tbb-security-slider, | Actual Points:
tbb-6.0-issues, noscript, GeorgKoppen201611, |
TorBrowserTeam201611 |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by ma1):
Replying to [comment:37 i139]:
> what is the advances of MSE use instance of non-MSE use? should be
measured the advances and the difficulty of implementation of this
technology, like this issue with placeholder
Proponents of this technology will tell you that it allows to move into
the web platform a lot of logic (mostly for adaptative bit rate) which was
implemented natively in custom players or in Flash.
As a side effect the data flow *appears* less transparent, but what we
should focus on is that the JavaScript on a certain webpage has now the
power to fuzz (and possibly exploit) any available HTML 5 media codec
*without even touching the network*. That's way I believe restricting MSE
usage as an additional permission for the site (or the webpage, as I said,
for convenience rather than security, e.g. on Youtube) is the most
sensible approach: exactly the same NoScript already adopts for WebGL.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19200#comment:38>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list