#19200: HTML5 video not blocked with placeholder, plays automatically -------------------------------------------------+------------------------- Reporter: potato | Owner: tbb- Type: defect | team Priority: High | Status: Component: Applications/Tor Browser | needs_information Severity: Major | Milestone: Keywords: tbb-security-slider, | Version: tbb-6.0-issues, GeorgKoppen201607, | Resolution: TorBrowserTeam201607 | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: -------------------------------------------------+------------------------- Changes (by gk):
* status: needs_revision => needs_information Comment: Replying to [comment:16 ma1]: > Mediasource is quite a hairy problem. > > The reason why ClickToPlay cannot work the way it does for "normal" videos is because there's no general way to identify the actual origin of the stream that is going to be played: in facts, the data can be generated on the fly by JavaScript code on the page and can actually come from anywhere (XMLHttpRequest, fetch(), random numbers, images whose bits are read using the canvas API, user input, whatever). > > Therefore the only meaningful "subject of trust" can be '''page''''s origin: trying to put individual mediasource elements behind ClickToPlay is impossible (since the data is fetched and/or assembled by scripts, you are required to reload the page upon placeholder activation, and the identity of the element to be activated is usually lost, since it's not bound to any persistent unique URL); furthermore, I doubt it's even useful from a security standpoint, since you cannot actually tell one instance from the other. > > The only partial work around I can think of is to implement a "special case" ClickToPlay for MSE, activating all the elements of a certain page if any placeholder gets clicked (the key would be page's URL, rather than the non-existent "media URL", and a page reload would occur). Would that work for you? We could tried it at least I guess. There was the idea in #19736 to just set `media.autoplay.enabled` to `false` and be done with it but I assume that this does not prevent malicious code from exploiting bugs in Mozilla's media code but that might be worth to double-check. Another thing I looked at was the Flashstopper extension which at least provides an interesting way to block audio/video tags until the user does something. Giorgio, what do you think would be the best road for making sure we keep our security guarantees and a click-to-play mechanism? -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19200#comment:18> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs