[tor-bugs] #19200 [Applications/Tor Browser]: HTML5 video not blocked with placeholder, plays automatically

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Nov 17 18:33:57 UTC 2016


#19200: HTML5 video not blocked with placeholder, plays automatically
-------------------------------------------------+-------------------------
 Reporter:  potato                               |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  needs_information
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Major                                |     Resolution:
 Keywords:  tbb-security-slider,                 |  Actual Points:
  tbb-6.0-issues, noscript, GeorgKoppen201611,   |
  TorBrowserTeam201611                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by ma1):

 Replying to [comment:37 i139]:
 > what is the advances of MSE use instance of non-MSE use? should be
 measured the advances and the difficulty of implementation of this
 technology, like this issue with placeholder

 Proponents of this technology will tell you that it allows to move into
 the web platform a lot of logic (mostly for adaptative bit rate) which was
 implemented natively in custom players or in Flash.
 As a side effect the data flow *appears* less transparent, but what we
 should focus on is that the JavaScript on a certain webpage has now the
 power to fuzz (and possibly exploit) any available HTML 5 media codec
 *without even touching the network*. That's way I believe restricting MSE
 usage as an additional permission for the site (or the webpage, as I said,
 for convenience rather than security, e.g. on Youtube) is the most
 sensible approach: exactly the same NoScript already adopts for WebGL.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19200#comment:38>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list