[tor-bugs] #19200 [Applications/Tor Browser]: HTML5 video not blocked with placeholder, plays automatically

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon May 30 04:12:52 UTC 2016 

#19200: HTML5 video not blocked with placeholder, plays automatically
-------------------------------------+-------------------------------------
     Reporter:  potato               |      Owner:  tbb-team
         Type:  defect               |     Status:  new
     Priority:  Very High            |  Milestone:
    Component:  Applications/Tor     |    Version:
  Browser                            |   Keywords:  6.0a5, video, media,
     Severity:  Major                |  mse, mediasource, noscript,
Actual Points:                       |  placeholder
       Points:                       |  Parent ID:
      Sponsor:                       |   Reviewer:
-------------------------------------+-------------------------------------
 In Tor Browser 6.0a5, with security level set at Medium-Low or higher,
 HTML5 video that uses media source extensions (MSE) is able to load and
 play automatically, without being blocked by a click-to-play NoScript
 placeholder. The policy for the Medium-Low, Medium-High, and High security
 levels states that "HTML5 video and audio media become click-to-play via
 NoScript," but this bug breaks that security policy by allowing HTML5 MSE
 media to play unobstructed. The browser's attack surface may be increased
 due to exposure to this media.

 I've tested on both OS X and Tails 2.4~rc1. The bug exists on both
 platforms. On OS X, I tested with a clean install of Tor Browser.

 Regular HTML5 video that does not use MSE is unaffected by this bug and
 gets placeholder-blocked properly.

 == Expected result: ==
 HTML5 MSE video should not be allowed to play automatically in security
 level Medium-Low or higher, it should be replaced with a click-to-play
 placeholder by NoScript to block it until the user either clicks the
 placeholder or uses the NoScript toolbar button to allow it. This was the
 behavior in Tor Browser 5.5.5 and earlier.

 == Steps to reproduce: ==
 1. Click the Torbutton icon in the browser toolbar, select "Privacy and
 Security Settings..." and choose Medium-Low, Medium-High, or High security
 level.
 2. Go to a site that has MSE video, such as any YouTube video, eg:
 https://www.youtube.com/watch?v=T07gkTc5Fcc
 3. If Tor Browser is in High security mode, then allow scripts on the page
 via the NoScript toolbar button option "Temporarily allow all this page."
 4. The video will start playing automatically. There is no NoScript
 placeholder that you click to start the video, it just starts playing.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19200>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list