[tor-bugs] #22981 [Applications/Tor Browser]: Don't block audio/video on https sites under Medium Security

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jul 19 19:09:11 UTC 2017 

#22981: Don't block audio/video on https sites under Medium Security
-------------------------------------------------+-------------------------
 Reporter:  arthuredelstein                      |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-usability, tbb-security-slider,  |  Actual Points:
  ux-team                                        |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by gk):

 Replying to [ticket:22981 arthuredelstein]:
 > Right now "Medium Security" on the security slider blocks all audio and
 video using NoScript. But JavaScript is allowed for https sites. I would
 suggest also unblocking video and audio for https sites but keeping them
 blocked for http sites. This would increase usability for sites such as
 YouTube.

 While it would increase usability for websites I am not sold we should do
 that yet. The analogy to our treatment of JavaScript is an interesting one
 but we should not forget that we allow only non-JITed JavaScript on HTTPS
 pages. The reason for not allowing JIT at all (i.e. irrespective of the
 transport) is the high amount of vulnerabilities in this part of the code.
 Exactly the same reason is behind blocking audio/video by default. But
 audio/video is more important than JIT, right (although not allowing the
 latter breaks sites as well!)? True. That's the reason behind making it
 easy to allow playing videos if wanted.

 I think before seriously thinking about not blocking audio/video anymore
 for HTTPS pages we should investigate how complex the click-to-play thing
 is and whether we could simplify it to a point where that alone would be a
 sufficient usability improvement.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22981#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list