[tbb-bugs] #19210 [Applications/Tor Browser]: NoScript places WebM videos too late behind click-to-play in higher security levels

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jul 20 15:26:21 UTC 2016


#19210: NoScript places WebM videos too late behind click-to-play in higher
security levels
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
     Type:  defect                               |  team
 Priority:  High                                 |         Status:
Component:  Applications/Tor Browser             |  needs_information
 Severity:  Major                                |      Milestone:
 Keywords:  tbb-regression, tbb-security-        |        Version:
  slider, tbb-6.0-issues                         |     Resolution:
Parent ID:                                       |  Actual Points:
 Reviewer:                                       |         Points:
                                                 |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):

 * status:  new => needs_information


Comment:

 Replying to [comment:1 cypherpunks]:
 > Upon further inspection I realized click-to-play is partially working;
 When requested directly, audio and video resources make a get request for
 every 5 seconds of media. The first segment loads fine, the second is then
 blocked by click-to-play.
 >
 > I'm not sure if splitting media into 5 second segments is new behavior,
 but that would explain the weirdness.
 >
 > The noscript change that I referred to in the comment is this:
 https://github.com/avian2/noscript/commit/2b7bd12752f4d2e4dd0e38290820e707585d6385.
 I would expect for resources requested directly to load without being
 blocked. My guess is that the second segment doesn't originate from
 chrome.
 >
 > If I'm correct then the severity for this ticket could be lowered, and
 the summary rewritten.

 Does going directly to http://gensho.acc.umu.se/pub/debian-meetings/2016
 /mini-debconf-vienna/webm/Debian_Installer_for_Novena.webm work for you?
 It seems on my machine the video is correctly placed behind Click-To-Play
 before loading. If that's the case I think what is happening is that
 NoScript is not catching the redirect and the first chunk of data can
 evade the nsIContentPolicy used to check whether Click-To-Play should get
 applied.

 On a maybe related note this does not seem to be a 6.0 issue as on 5.5.5
 e.g. the video is not blocked at all for some reason. Which makes me
 nervous.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19210#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list