[tbb-bugs] #21805 [Applications/Tor Browser]: webgl is not blocked with a click-to-play button

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Dec 13 08:47:40 UTC 2018


#21805: webgl is not blocked with a click-to-play button
-------------------------------------------------+-------------------------
 Reporter:  arthuredelstein                      |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-usability,                       |  Actual Points:
  TorBrowserTeam201812R                          |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):

 * status:  new => needs_review
 * keywords:  tbb-usability, TorBrowserTeam201812 => tbb-usability,
     TorBrowserTeam201812R


Comment:

 `bug_21805`
 (https://gitweb.torproject.org/user/gk/torbutton.git/commit/?h=bug_21805&id=e2051e588405377f68c7899a8a8402faf82aab9c)
 has a patch for review. We might think harder, though whether we want to
 treat WebGL specially compared to other active content in that we make it
 click-to-play on any security level AND have fingerprinting defenses in
 place. One alternative to the current model would be to put WebGL on the
 security slider like we do with other features, like media. Especially as
 I agree with Arthur that there are more and more issues security-wise.

 https://www.mozilla.org/en-
 US/security/advisories/mfsa2018-29/#CVE-2018-12407
 https://www.mozilla.org/en-
 US/security/advisories/mfsa2018-29/#CVE-2018-17466

 just popped up this week.

 (Note though, treating WebGL content like we do treat media content would
 make it *less* security compared to the status after fixing this bug as
 there would be no click-to-play placeholder anymore on the default level.)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21805#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list