[tbb-bugs] #19200 [Applications/Tor Browser]: HTML5 video not blocked with placeholder, plays automatically

Fri Jul 22 09:18:12 UTC 2016

#19200: HTML5 video not blocked with placeholder, plays automatically
-------------------------------------------------+-------------------------
 Reporter:  potato                               |          Owner:  tbb-
     Type:  defect                               |  team
 Priority:  High                                 |         Status:
Component:  Applications/Tor Browser             |  needs_information
 Severity:  Major                                |      Milestone:
 Keywords:  tbb-security-slider,                 |        Version:
  tbb-6.0-issues, GeorgKoppen201607,             |     Resolution:
  TorBrowserTeam201607                           |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):

 * status:  needs_revision => needs_information

Comment:

 Replying to [comment:16 ma1]:
 > Mediasource is quite a hairy problem.
 >
 > The reason why ClickToPlay cannot work the way it does for "normal"
 videos is because there's no general way to identify the actual origin of
 the stream that is going to be played: in facts, the data can be generated
 on the fly by JavaScript code on the page and can actually come from
 anywhere (XMLHttpRequest, fetch(), random numbers, images whose bits are
 read using the canvas API, user input, whatever).
 >
 > Therefore the only meaningful "subject of trust" can be '''page''''s
 origin: trying to put individual mediasource elements behind ClickToPlay
 is impossible (since the data is fetched and/or assembled by scripts, you
 are required to reload the page upon placeholder activation, and the
 identity of the element to be activated is usually lost, since it's not
 bound to any persistent unique URL); furthermore, I doubt it's even useful
 from a security standpoint, since you cannot actually tell one instance
 from the other.
 >
 > The only partial work around I can think of is to implement a "special
 case" ClickToPlay for MSE, activating all the elements of a certain page
 if any placeholder gets clicked (the key would be page's URL, rather than
 the non-existent "media URL", and a page reload would occur). Would that
 work for you?

 We could tried it at least I guess. There was the idea in #19736 to just
 set `media.autoplay.enabled` to `false` and be done with it but I assume
 that this does not prevent malicious code from exploiting bugs in
 Mozilla's media code but that might be worth to double-check. Another
 thing I looked at was the Flashstopper extension which at least provides
 an interesting way to block audio/video tags until the user does
 something. Giorgio, what do you think would be the best road for making
 sure we keep our security guarantees and a click-to-play mechanism?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19200#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online