[tor-bugs] #33000 [Applications/Tor Browser]: Click-to-play does not work on embedded videos on the blog in safer mode

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jan 21 15:21:28 UTC 2020 

#33000: Click-to-play does not work on embedded videos on the blog in safer mode
--------------------------------------+--------------------------
 Reporter:  gk                        |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  noscript                  |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by sysrqb):

 Replying to [comment:3 ma1]:
 > It seems to be an unintended (?) consequence of "Cascade top document's
 restrictions to subdocuments", which is enabled by default in the Tor
 Browser, but not in vanilla NoScript, which is probably the reason why
 this had not been reported yet.

 Ah ha! Yes, it seems to be. In addition, youtube is trusted by default, so
 that would hide this issue from most users, too.

 >
 > I'm not sure how you prefer to deal with this (one way might be ignoring
 cascaded restrictions for CUSTOM rules), but maybe a finer granularity of
 the restriction cascades as described at the beginning of
 https://trac.torproject.org/projects/tor/ticket/30570#comment:19 would
 allow you to choose the best answer for your needs.

 I think ignoring the cascaded restrictions for CUSTOM rules is the
 expected behavior in this situation. However, rules are created for the
 url or origin of the document itself, including embedded documents, so
 custom rules are used for a third-party resource across different first-
 party sites. This is a problem for Tor Browser. In addition to #30570,
 (maybe as another option) would it be possible to create the policy key
 using both the "emedded sitekey or origin" and something like
 `window.top.origin`? I'm not sure if first-party isolation with respect to
 per-site capabilities was previously discussed.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33000#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list