[tor-bugs] #19200 [Applications/Tor Browser]: HTML5 video not blocked with placeholder, plays automatically

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jul 22 13:52:54 UTC 2016 

#19200: HTML5 video not blocked with placeholder, plays automatically
-------------------------------------------------+-------------------------
 Reporter:  potato                               |          Owner:  tbb-
     Type:  defect                               |  team
 Priority:  High                                 |         Status:
Component:  Applications/Tor Browser             |  needs_information
 Severity:  Major                                |      Milestone:
 Keywords:  tbb-security-slider,                 |        Version:
  tbb-6.0-issues, GeorgKoppen201607,             |     Resolution:
  TorBrowserTeam201607                           |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by f451022):

 Replying to [comment:18 gk]:

 > We could tried it at least I guess. There was the idea in #19736 to just
 set `media.autoplay.enabled` to `false` and be done with it but I assume
 that this does not prevent malicious code from exploiting bugs in
 Mozilla's media code but that might be worth to double-check. Another
 thing I looked at was the Flashstopper extension which at least provides
 an interesting way to block audio/video tags until the user does
 something. Giorgio, what do you think would be the best road for making
 sure we keep our security guarantees and a click-to-play mechanism?


 set  `media.autoplay.enabled` to false introduce a bug on youtube, and
 probably others sites too, I saw this today on some tests.

 whatever, I prefer disable MSE because:

 1. it's use javascript and I don't like it.

 2. without MSE you can get de video path including youtube videos, it's
 allows to open the video on a standalone tab and also download the video
 easily.

 example:

 take it, [https://www.youtube.com/watch?v=dQw4w9WgXcQ].
 and using right click > page info > media, you can get the path.
 or just copy the link on noscript placeholder.

 now you can standalone and also download the video.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19200#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list