[tor-bugs] #21805 [Applications/Tor Browser]: webgl is getting blocked in low security
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Mar 29 11:14:01 UTC 2017
#21805: webgl is getting blocked in low security
--------------------------------------+-----------------------------------
Reporter: arthuredelstein | Owner: tbb-team
Type: defect | Status: needs_information
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-usability | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+-----------------------------------
Changes (by gk):
* status: new => needs_information
* keywords: tbb-security-slider, tbb-usability => tbb-usability
Comment:
Yes, that's because WebGL is a privacy problem and, looking at the data
from past sec-high and sec-crit bugs, not a security problem. Which is why
it is not governed by the security slider and I think that's okay.
Here is what we are doing right now according to the design spec:
{{{
First, WebGL Canvases have click-to-play placeholders (provided by
NoScript), and do not run until authorized by the user. Second, we
obfuscate driver information by setting the Firefox preferences webgl
.disable-extensions, webgl.min_capability_mode, and webgl.disable-fail-if-
major-performance-caveat which reduce the information provided by the
following WebGL API calls: getParameter(), getSupportedExtensions(), and
getExtension(). To make the minimal WebGL mode usable we additionally
normalize its properties with a Firefox patch.
}}}
It seems your report is not a bug then. Maybe you wanted to argue we
should not do the click-to-play thing at all anymore?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21805#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list