[tbb-bugs] #18782 [Tor Browser]: media tab in Page Info can bypass NoScript on Linux if gstreamer is used
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Apr 15 09:37:38 UTC 2016
#18782: media tab in Page Info can bypass NoScript on Linux if gstreamer is used
-------------------------+--------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: assigned
Priority: Very High | Milestone:
Component: Tor Browser | Version:
Severity: Critical | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------+--------------------------
Comment (by cypherpunks):
Seems like a few misconceptions have made our fellow cpunk a little
anxious. Maybe the following will help (gk can correct me if I say
something stupid):
1. Disabling embedded objects on chrome contexts was never among
NoScript's goals. It only ever tries when in content context. (So this bug
is hardly a "bypass".)
2. The rationale for using NoScript to disable embedded multimedia objects
is not preventing IP leaks (that would be a catastrophic failure; such
identity leaks should never happen, ever, no matter the security slider
setting, full stop). No, the idea is reducing the attack surface:
multimedia codecs are known to be large pieces of flaky, vulnerable
software. So the less you use them, the better your odds look.
3. The media previewer doesn't run any content javascript. (If it runs
javascript, it's chrome.)
Replying to [comment:18 gk]:
> And FWIW Tor Browser based on ESR45 won't have this problem anymore as
Mozilla is not using gstreamer anymore.
But what about whatever replaces it (I'm assuming there is such
replacement)?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18782#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list