Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
Trac
Trac
  • Project overview
    • Project overview
    • Details
    • Activity
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Operations
    • Operations
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Create a new issue
  • Issue Boards

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

  • Legacy
  • TracTrac
  • Issues
  • #19200

Closed (moved)
Open
Opened May 30, 2016 by Trac@tracbot

HTML5 video not blocked with placeholder, plays automatically

In Tor Browser 6.0a5, with security level set at Medium-Low or higher, HTML5 video that uses media source extensions (MSE) is able to load and play automatically, without being blocked by a click-to-play NoScript placeholder. The policy for the Medium-Low, Medium-High, and High security levels states that "HTML5 video and audio media become click-to-play via NoScript," but this bug breaks that security policy by allowing HTML5 MSE media to play unobstructed. The browser's attack surface may be increased due to exposure to this media.

I've tested on both OS X and Tails 2.4~rc1. The bug exists on both platforms. On OS X, I tested with a clean install of Tor Browser.

Regular HTML5 video that does not use MSE is unaffected by this bug and gets placeholder-blocked properly.

Expected result:

HTML5 MSE video should not be allowed to play automatically in security level Medium-Low or higher, it should be replaced with a click-to-play placeholder by NoScript to block it until the user either clicks the placeholder or uses the NoScript toolbar button to allow it. This was the behavior in Tor Browser 5.5.5 and earlier.

Steps to reproduce:

  1. Click the Torbutton icon in the browser toolbar, select "Privacy and Security Settings..." and choose Medium-Low, Medium-High, or High security level.
  2. Go to a site that has MSE video, such as any YouTube video, eg: https://www.youtube.com/watch?v=T07gkTc5Fcc
  3. If Tor Browser is in High security mode, then allow scripts on the page via the NoScript toolbar button option "Temporarily allow all this page."
  4. The video will start playing automatically. There is no NoScript placeholder that you click to start the video, it just starts playing.

Trac:
Username: potato

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: legacy/trac#19200