[tor-bugs] #22981 [Applications/Tor Browser]: Don't block audio/video on https sites under Medium Security
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jul 19 19:09:11 UTC 2017
#22981: Don't block audio/video on https sites under Medium Security
-------------------------------------------------+-------------------------
Reporter: arthuredelstein | Owner: tbb-
| team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-usability, tbb-security-slider, | Actual Points:
ux-team |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by gk):
Replying to [ticket:22981 arthuredelstein]:
> Right now "Medium Security" on the security slider blocks all audio and
video using NoScript. But JavaScript is allowed for https sites. I would
suggest also unblocking video and audio for https sites but keeping them
blocked for http sites. This would increase usability for sites such as
YouTube.
While it would increase usability for websites I am not sold we should do
that yet. The analogy to our treatment of JavaScript is an interesting one
but we should not forget that we allow only non-JITed JavaScript on HTTPS
pages. The reason for not allowing JIT at all (i.e. irrespective of the
transport) is the high amount of vulnerabilities in this part of the code.
Exactly the same reason is behind blocking audio/video by default. But
audio/video is more important than JIT, right (although not allowing the
latter breaks sites as well!)? True. That's the reason behind making it
easy to allow playing videos if wanted.
I think before seriously thinking about not blocking audio/video anymore
for HTTPS pages we should investigate how complex the click-to-play thing
is and whether we could simplify it to a point where that alone would be a
sufficient usability improvement.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22981#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list