[tbb-bugs] #20314 [Applications/Tor Browser]: Make SVG click-to-play and support fallback

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Jan 7 06:44:03 UTC 2017

#20314: Make SVG click-to-play and support fallback
 Reporter:  bugzilla                  |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-usability             |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:

Comment (by cypherpunks):

 It's important to remember though that putting this in the domain of
 NoScript and making it click-to-play makes bypasses easier. Isn't it also
 a little silly to consider making SVG click-to-play shortly after a SVG
 vulnerability was used by the authorities against Tor Browse users, and
 shortly after a NoScript click-to-play bug was fixed (I think it was fixed
 at least) which caused videos to play for a split second even when they
 were disabled? It just seems shortsighted to me.

 There are already NoScript bypasses for JavaScript in the wild and being
 hoarded, so at the very least, I'd like to see the ability to completely
 disable SVG on the highest security setting, without having to resort to
 disabling it in about:config and potentially increasing the risk of

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20314#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list