[tbb-bugs] #18782 [Tor Browser]: media tab in Page Info can bypass NoScript

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Apr 15 04:30:51 UTC 2016 

#18782: media tab in Page Info can bypass NoScript
-------------------------+-----------------------------------
 Reporter:  cypherpunks  |          Owner:  tbb-team
     Type:  defect       |         Status:  needs_information
 Priority:  Very High    |      Milestone:
Component:  Tor Browser  |        Version:
 Severity:  Critical     |     Resolution:
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
 Reviewer:               |        Sponsor:
-------------------------+-----------------------------------

Comment (by cypherpunks):

 I don't know what the protocol here is for when one bug through the
 process of discovery is revealed to be a different bug. I can't modify the
 title.

 I feel like getting testy here (because isn't this really, really obvious?
 why are you asking how to proceed?) but I'll refrain. The expected
 behaviour is for TBB, since it ships with media.gstreamer.enabled set to
 true, to not allow gstreamer leaks to affect TBB's security negatively.

 In TBB, when the slider, which is what the team presents to the userbase
 as the primary security control panel, is set to high, no JS objects at
 all should be able to run in the browser. Media Preview absolutely is in
 the browser. It is a user-facing feature. It is not a setting, i.e. "don't
 poke around in TBB's innards unless you know what you're doing" does not
 apply here.

 It looks to me as though your end needs to look upstream, either to
 Firefox (why is Media Preview a separate display process?) or to NoScript
 (why can't NoScript affect Media Preview?) or to gstreamer (has it been
 leaking data ever since it was included as an option?). Using an external
 element for media display should have been a bigger red flag than it seems
 to have been treated as. The fact that Firefox uses that external element
 in two different ways in the same product complicates the matter.

 Of these, NoScript and Firefox are connected to the Tor Project and
 subsequently should be within the responsibility of the developers to at
 least interact with. Gstreamer is obviously separate.

 So fundaMmentally, the expected behaviour is not to leak data? To obey the
 security slider? To start shipping TBB with media.gstreamer.enabled set to
 false, or incorporating that setting into the slider.

 Do you even know if gstreamer has been leaking this whole time and should
 be removed as an option until upstream passes an audit?

  - If you can determine gstreamers isn't leaky (meaning outside the Tor
 network) then media.gstreamer.enabled should become part of what the
 security slider controls
  - if you cannot determine anything about gstreamer's network activity
 conclusively (?) then it should be removed from interactio from TBB
 completely

  - as a side note, Firefox probably shouldn't be loading objects of any
 kind in Media Preview by different means than it uses for general pages

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18782#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list