[tor-bugs] #19200 [Applications/Tor Browser]: HTML5 video not blocked with placeholder, plays automatically

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Nov 17 15:21:50 UTC 2016 

#19200: HTML5 video not blocked with placeholder, plays automatically
-------------------------------------------------+-------------------------
 Reporter:  potato                               |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  needs_information
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Major                                |     Resolution:
 Keywords:  tbb-security-slider,                 |  Actual Points:
  tbb-6.0-issues, noscript, GeorgKoppen201611,   |
  TorBrowserTeam201611                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by ma1):

 Replying to [comment:35 i139]:
 > isn't possible to block some MSE path? force the site to use a
 limitation and predictable range of path (predictable elements), who
 complex is MSE?

 It's possible to (un)block *per hosting page* and declared MIME type, but
 not per data source.
 With MSE you cannot tell for sure where the actual bytes come from:
 they're usually fetched using XHR or the fetch() API, but they could
 actually be anything, even computed on the fly, because they're added
 programmatically through a JavaScript API on the go. This, from a security
 perspective, means that the only entity which you can decide to trust or
 not for MSE is the site where the JavaScript using the MediaSource API is
 executed. Unblocking per page, rather than per site (which is still
 possible) is merely a convenience.

 What I'm doing is intercepting the API in order to learn
 1. whether it's gonna be used on the page
 2. which MIME types are being requested (this info is passed to the API to
 tell the consuming element which the required codecs are)

 Then I emulate an actual content interception, possibly associating it to
 a media element if already bound to the MediaSource instance.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19200#comment:36>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list