Re: [tor-bugs] #33000 [Applications/Tor Browser]: Click-to-play does not work on embedded videos on the blog in safer mode

[Tor Bug Tracker & Wiki]

#33000: Click-to-play does not work on embedded videos on the blog in safer mode
--+--
 Reporter:  gk|  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  noscript  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by cypherpunks):

 This was reported in blog comments much earlier, 2 months ago in November
 2019. See the following thread. Its OP talks about https://invidio.us/
 (Invidious), but its replies talk about ''third-party embedded videos on
 **any** site''. https://blog.torproject.org/comment/285311#comment-285311

 The official onion of Invidious was reported not working with click-to-
 play 7 months ago in June 2019: #30993. Related to all of these is #22985,
 "Can we simplify and clarify click-to-play of audio/video?"

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33000 [Applications/Tor Browser]: Click-to-play does not work on embedded videos on the blog in safer mode

[Tor Bug Tracker & Wiki]

#33000: Click-to-play does not work on embedded videos on the blog in safer mode
--+--
 Reporter:  gk|  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  noscript  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by sysrqb):

 Replying to [comment:3 ma1]:
 > It seems to be an unintended (?) consequence of "Cascade top document's
 restrictions to subdocuments", which is enabled by default in the Tor
 Browser, but not in vanilla NoScript, which is probably the reason why
 this had not been reported yet.

 Ah ha! Yes, it seems to be. In addition, youtube is trusted by default, so
 that would hide this issue from most users, too.

 >
 > I'm not sure how you prefer to deal with this (one way might be ignoring
 cascaded restrictions for CUSTOM rules), but maybe a finer granularity of
 the restriction cascades as described at the beginning of
 https://trac.torproject.org/projects/tor/ticket/30570#comment:19 would
 allow you to choose the best answer for your needs.

 I think ignoring the cascaded restrictions for CUSTOM rules is the
 expected behavior in this situation. However, rules are created for the
 url or origin of the document itself, including embedded documents, so
 custom rules are used for a third-party resource across different first-
 party sites. This is a problem for Tor Browser. In addition to #30570,
 (maybe as another option) would it be possible to create the policy key
 using both the "emedded sitekey or origin" and something like
 `window.top.origin`? I'm not sure if first-party isolation with respect to
 per-site capabilities was previously discussed.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33000 [Applications/Tor Browser]: Click-to-play does not work on embedded videos on the blog in safer mode

[Tor Bug Tracker & Wiki]

#33000: Click-to-play does not work on embedded videos on the blog in safer mode
--+--
 Reporter:  gk|  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  noscript  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by ma1):

 It seems to be an unintended (?) consequence of "Cascade top document's
 restrictions to subdocuments", which is enabled by default in the Tor
 Browser, but not in vanilla NoScript, which is probably the reason why
 this had not been reported yet.

 I'm not sure how you prefer to deal with this (one way might be ignoring
 cascaded restrictions for CUSTOM rules), but maybe a finer granularity of
 the restriction cascades as described at the beginning of
 https://trac.torproject.org/projects/tor/ticket/30570#comment:19 would
 allow you to choose the best answer for your needs.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33000 [Applications/Tor Browser]: Click-to-play does not work on embedded videos on the blog in safer mode

[Tor Bug Tracker & Wiki]

#33000: Click-to-play does not work on embedded videos on the blog in safer mode
--+--
 Reporter:  gk|  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  noscript  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by sysrqb):

 * cc: ma1 (added)


Comment:

 This is reproducible on Standard by disabling Noscript's media capability
 for Default.

 Hi ma1, is this a known bug? I don't see any obvious open issues for it.
 It's an embedded third-party iframe from youtube. Media cap is disabled.
 The video element shows the play button. After clicking the element so the
 video begins, Noscript shows click-to-play. After clicking the element
 again, Noscript prompts for allowing media. After allowing media the video
 shows a spinning animation and then returns to showing the play element.

 https://blog.torproject.org/2019-campaign-wrapup-tor-take-back-the-
 internet

 and reproducible here:
 https://www.w3schools.com/html/tryit.asp?filename=tryhtml_youtubeiframe

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #33000 [Applications/Tor Browser]: Click-to-play does not work on embedded videos on the blog in safer mode

[Tor Bug Tracker & Wiki]

#33000: Click-to-play does not work on embedded videos on the blog in safer mode
--+--
 Reporter:  gk|  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  noscript  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Description changed by gk:

Old description:

> [As reported on the blog
> https://blog.torproject.org/comment/286439#comment-286439] being on
> medium sevurity level and trying to get the videos on our [2019 campaign
> wrap-up https://blog.torproject.org/2019-campaign-wrapup-tor-take-back-
> the-internet] to play does not work.
>
> This is with NoScript 11.0.12.

New description:

 [https://blog.torproject.org/comment/286439#comment-286439 As reported on
 the blog] being on medium sevurity level and trying to get the videos on
 our [https://blog.torproject.org/2019-campaign-wrapup-tor-take-back-the-
 internet 2019 campaign wrap-up] to play does not work.

 This is with NoScript 11.0.12.

--

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs