[tor-bugs] #18782 [Tor Browser]: media tab in Page Info can bypass NoScript
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Apr 15 04:30:51 UTC 2016
#18782: media tab in Page Info can bypass NoScript
-------------------------+-----------------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: needs_information
Priority: Very High | Milestone:
Component: Tor Browser | Version:
Severity: Critical | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------+-----------------------------------
Comment (by cypherpunks):
I don't know what the protocol here is for when one bug through the
process of discovery is revealed to be a different bug. I can't modify the
title.
I feel like getting testy here (because isn't this really, really obvious?
why are you asking how to proceed?) but I'll refrain. The expected
behaviour is for TBB, since it ships with media.gstreamer.enabled set to
true, to not allow gstreamer leaks to affect TBB's security negatively.
In TBB, when the slider, which is what the team presents to the userbase
as the primary security control panel, is set to high, no JS objects at
all should be able to run in the browser. Media Preview absolutely is in
the browser. It is a user-facing feature. It is not a setting, i.e. "don't
poke around in TBB's innards unless you know what you're doing" does not
apply here.
It looks to me as though your end needs to look upstream, either to
Firefox (why is Media Preview a separate display process?) or to NoScript
(why can't NoScript affect Media Preview?) or to gstreamer (has it been
leaking data ever since it was included as an option?). Using an external
element for media display should have been a bigger red flag than it seems
to have been treated as. The fact that Firefox uses that external element
in two different ways in the same product complicates the matter.
Of these, NoScript and Firefox are connected to the Tor Project and
subsequently should be within the responsibility of the developers to at
least interact with. Gstreamer is obviously separate.
So fundaMmentally, the expected behaviour is not to leak data? To obey the
security slider? To start shipping TBB with media.gstreamer.enabled set to
false, or incorporating that setting into the slider.
Do you even know if gstreamer has been leaking this whole time and should
be removed as an option until upstream passes an audit?
- If you can determine gstreamers isn't leaky (meaning outside the Tor
network) then media.gstreamer.enabled should become part of what the
security slider controls
- if you cannot determine anything about gstreamer's network activity
conclusively (?) then it should be removed from interactio from TBB
completely
- as a side note, Firefox probably shouldn't be loading objects of any
kind in Media Preview by different means than it uses for general pages
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18782#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list