[tbb-bugs] #21805 [Applications/Tor Browser]: webgl is getting blocked in low security

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Mar 29 11:14:01 UTC 2017

#21805: webgl is getting blocked in low security
 Reporter:  arthuredelstein           |          Owner:  tbb-team
     Type:  defect                    |         Status:  needs_information
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-usability             |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
Changes (by gk):

 * status:  new => needs_information
 * keywords:  tbb-security-slider, tbb-usability => tbb-usability


 Yes, that's because WebGL is a privacy problem and, looking at the data
 from past sec-high and sec-crit bugs, not a security problem. Which is why
 it is not governed by the security slider and I think that's okay.

 Here is what we are doing right now according to the design spec:
 First, WebGL Canvases have click-to-play placeholders (provided by
 NoScript), and do not run until authorized by the user. Second, we
 obfuscate driver information by setting the Firefox preferences webgl
 .disable-extensions, webgl.min_capability_mode, and webgl.disable-fail-if-
 major-performance-caveat which reduce the information provided by the
 following WebGL API calls: getParameter(), getSupportedExtensions(), and
 getExtension(). To make the minimal WebGL mode usable we additionally
 normalize its properties with a Firefox patch.
 It seems your report is not a bug then. Maybe you wanted to argue we
 should not do the click-to-play thing at all anymore?

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21805#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list