[tbb-bugs] #20314 [Applications/Tor Browser]: Make SVG click-to-play and support fallback
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Jan 7 06:44:03 UTC 2017
#20314: Make SVG click-to-play and support fallback
--------------------------------------+--------------------------
Reporter: bugzilla | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-usability | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by cypherpunks):
It's important to remember though that putting this in the domain of
NoScript and making it click-to-play makes bypasses easier. Isn't it also
a little silly to consider making SVG click-to-play shortly after a SVG
vulnerability was used by the authorities against Tor Browse users, and
shortly after a NoScript click-to-play bug was fixed (I think it was fixed
at least) which caused videos to play for a split second even when they
were disabled? It just seems shortsighted to me.
There are already NoScript bypasses for JavaScript in the wild and being
hoarded, so at the very least, I'd like to see the ability to completely
disable SVG on the highest security setting, without having to resort to
disabling it in about:config and potentially increasing the risk of
fingerprinting.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20314#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list