[tbb-bugs] #18782 [Tor Browser]: media tab in Page Info can bypass NoScript on Linux if gstreamer is used

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Apr 15 09:37:38 UTC 2016

#18782: media tab in Page Info can bypass NoScript on Linux if gstreamer is used
 Reporter:  cypherpunks  |          Owner:  tbb-team
     Type:  defect       |         Status:  assigned
 Priority:  Very High    |      Milestone:
Component:  Tor Browser  |        Version:
 Severity:  Critical     |     Resolution:
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
 Reviewer:               |        Sponsor:

Comment (by cypherpunks):

 Seems like a few misconceptions have made our fellow cpunk a little
 anxious. Maybe the following will help (gk can correct me if I say
 something stupid):
 1. Disabling embedded objects on chrome contexts was never among
 NoScript's goals. It only ever tries when in content context. (So this bug
 is hardly a "bypass".)
 2. The rationale for using NoScript to disable embedded multimedia objects
 is not preventing IP leaks (that would be a catastrophic failure; such
 identity leaks should never happen, ever, no matter the security slider
 setting, full stop). No, the idea is reducing the attack surface:
 multimedia codecs are known to be large pieces of flaky, vulnerable
 software. So the less you use them, the better your odds look.
 3. The media previewer doesn't run any content javascript. (If it runs
 javascript, it's chrome.)

 Replying to [comment:18 gk]:
 > And FWIW Tor Browser based on ESR45 won't have this problem anymore as
 Mozilla is not using gstreamer anymore.
 But what about whatever replaces it (I'm assuming there is such

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18782#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list