[tbb-bugs] #21805 [Applications/Tor Browser]: webgl is not blocked with a click-to-play button
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Dec 13 08:47:40 UTC 2018
#21805: webgl is not blocked with a click-to-play button
-------------------------------------------------+-------------------------
Reporter: arthuredelstein | Owner: tbb-
| team
Type: defect | Status:
| needs_review
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-usability, | Actual Points:
TorBrowserTeam201812R |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):
* status: new => needs_review
* keywords: tbb-usability, TorBrowserTeam201812 => tbb-usability,
TorBrowserTeam201812R
Comment:
`bug_21805`
(https://gitweb.torproject.org/user/gk/torbutton.git/commit/?h=bug_21805&id=e2051e588405377f68c7899a8a8402faf82aab9c)
has a patch for review. We might think harder, though whether we want to
treat WebGL specially compared to other active content in that we make it
click-to-play on any security level AND have fingerprinting defenses in
place. One alternative to the current model would be to put WebGL on the
security slider like we do with other features, like media. Especially as
I agree with Arthur that there are more and more issues security-wise.
https://www.mozilla.org/en-
US/security/advisories/mfsa2018-29/#CVE-2018-12407
https://www.mozilla.org/en-
US/security/advisories/mfsa2018-29/#CVE-2018-17466
just popped up this week.
(Note though, treating WebGL content like we do treat media content would
make it *less* security compared to the status after fixing this bug as
there would be no click-to-play placeholder anymore on the default level.)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21805#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list