[tor-bugs] #21805 [Applications/Tor Browser]: webgl is blocked without a click-to-play button (was: webgl is getting blocked in low security)

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jan 4 00:45:45 UTC 2018


#21805: webgl is blocked without a click-to-play button
--------------------------------------+-----------------------------------
 Reporter:  arthuredelstein           |          Owner:  tbb-team
     Type:  defect                    |         Status:  needs_information
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-usability             |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+-----------------------------------

Comment (by arthuredelstein):

 Replying to [comment:2 gk]:
 > Yes, that's because WebGL is a privacy problem and, looking at the data
 from past sec-high and sec-crit bugs, not a security problem.

 Since we last looked at this, there have been some sec-high and sec-crit
 bugs related to WebGL:
 https://www.mozilla.org/en-
 US/security/advisories/mfsa2017-29/#CVE-2017-7845
 https://www.mozilla.org/en-
 US/security/advisories/mfsa2017-21/#CVE-2017-7824
 https://www.mozilla.org/en-
 US/security/advisories/mfsa2017-15/#CVE-2017-7754
 https://www.mozilla.org/en-
 US/security/advisories/mfsa2017-14/#CVE-2017-5031
 https://www.mozilla.org/en-
 US/security/advisories/mfsa2017-10/#CVE-2017-5459
 https://www.mozilla.org/en-
 US/security/advisories/mfsa2017-05/#CVE-2017-5411

 > Which is why it is not governed by the security slider and I think
 that's okay.

 You're right -- if it's privacy problem then we may want to block it at
 Low Security regardless of whether it's a security problem.

 > First, WebGL Canvases have click-to-play placeholders (provided by
 NoScript),

 I have tried a number of webgl demos at
 https://experiments.withgoogle.com/chrome and I haven't found any sites
 where a click-to-play icon appears. The only way to enable WebGL appears
 to be to click on the NoScript button and then select one of the menu
 options to temporarily unblock webgl for that site.

 So it would be nice to have a click-to-play button in the middle of a
 canvas, similar to how a click-to-play button is shown in YouTube. Or
 perhaps an easier alternative would be some sort of door hanger that says
 something like "To protect your privacy, Tor Browser has blocked advanced
 graphics on this site. Would you like to temporarily allow them anyway?
 (Yes/No)"

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21805#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list