HTML5 video not blocked with placeholder, plays automatically
In Tor Browser 6.0a5, with security level set at Medium-Low or higher, HTML5 video that uses media source extensions (MSE) is able to load and play automatically, without being blocked by a click-to-play NoScript placeholder. The policy for the Medium-Low, Medium-High, and High security levels states that "HTML5 video and audio media become click-to-play via NoScript," but this bug breaks that security policy by allowing HTML5 MSE media to play unobstructed. The browser's attack surface may be increased due to exposure to this media.
I've tested on both OS X and Tails 2.4~rc1. The bug exists on both platforms. On OS X, I tested with a clean install of Tor Browser.
Regular HTML5 video that does not use MSE is unaffected by this bug and gets placeholder-blocked properly.
HTML5 MSE video should not be allowed to play automatically in security level Medium-Low or higher, it should be replaced with a click-to-play placeholder by NoScript to block it until the user either clicks the placeholder or uses the NoScript toolbar button to allow it. This was the behavior in Tor Browser 5.5.5 and earlier.
Steps to reproduce:
- Click the Torbutton icon in the browser toolbar, select "Privacy and Security Settings..." and choose Medium-Low, Medium-High, or High security level.
- Go to a site that has MSE video, such as any YouTube video, eg: https://www.youtube.com/watch?v=T07gkTc5Fcc
- If Tor Browser is in High security mode, then allow scripts on the page via the NoScript toolbar button option "Temporarily allow all this page."
- The video will start playing automatically. There is no NoScript placeholder that you click to start the video, it just starts playing.