NoScript Click-to-Play bypass with embedded videos and audios
Noscript does not block .webm playback on tor hidden services but plays them first and then blocks them after.
If you go to http://alokalaou53jmgum.onion/b/50927 and click on the 'homer-simpson webm' it will start playing directly after being clicked on even though Tor Browser is set to high security slider and this in 9/10 times.
Whereas if you open it directly it will block it 9/10 times.
This is present in at least Tor Browser 6.5.1 and 6.5.2 and probably on even older versions leaving users potentially in danger if it where to be a malicious .webm by not blocking it