Opened 3 years ago

Last modified 20 months ago

#20314 new defect

Make SVG click-to-play and support fallback

Reported by: bugzilla Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-usability, ux-team
Cc: brade, mcs, dcf, arma, mrphs, linda, dmr Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Currently TBB uses the worst option: entirely disabled. Even no white rectangle on a white background. It's not fair that videos have CTP, but images haven't. NoScript is most suitable now for this feature.

Child Tickets

Change History (12)

comment:1 Changed 3 years ago by mcs

Cc: brade mcs added

#20359 was closed as a duplicate, but that ticket mentioned MathML as well as SVG. Do we have a separate ticket for MathML click-to-play? If not, I guess we should create one.

comment:2 Changed 3 years ago by bugzilla

You too dunno how to deal with gk's bugtracker...

comment:3 Changed 3 years ago by gk

See: #20807 which might help us thinking about how to implement that (if we do it at all).

comment:4 Changed 3 years ago by i139

make a per domain block, like MSE videos was now.

block per elements will still break the page.

comment:5 Changed 3 years ago by i139

will be it available before the next release?

comment:6 Changed 3 years ago by x101010

comment:7 Changed 3 years ago by gk

Cc: dcf added
Keywords: noscript removed
Summary: Make SVG click-to-playMake SVG click-to-play and support fallback

Plus we could support the <picture> element to fallback to a different format if advertised. This is the idea of #21060.

comment:8 Changed 3 years ago by cypherpunks

It's important to remember though that putting this in the domain of NoScript and making it click-to-play makes bypasses easier. Isn't it also a little silly to consider making SVG click-to-play shortly after a SVG vulnerability was used by the authorities against Tor Browse users, and shortly after a NoScript click-to-play bug was fixed (I think it was fixed at least) which caused videos to play for a split second even when they were disabled? It just seems shortsighted to me.

There are already NoScript bypasses for JavaScript in the wild and being hoarded, so at the very least, I'd like to see the ability to completely disable SVG on the highest security setting, without having to resort to disabling it in about:config and potentially increasing the risk of fingerprinting.

comment:9 Changed 2 years ago by gk

Cc: arma mrphs linda added
Keywords: ux-team added

#23554 is a duplicate.

For posterity parts of arma's original description:

Especially now that youtube has decided that svg is the way of the future,
 we should figure out a more usable way for people to retain most of their
 security while still loading youtube if they want.

 Options that come to mind:

 A) Build our own per-tag toggle interface for the svg blocker.

 B) Ask noscript to learn how to block svg, and then use its existing per-
 tab toggle interface to let you configure your svg hopes.

 C) Finish thinking about the "per-tab security slider settings" idea, and
 decide to move forward with it.

 (Idea came from discussions with Nima and Nicolas.)

As I said in that ticket C) is essentially #21034 which is probably not going to fly.

comment:10 Changed 2 years ago by gk

FWIW: the discussion about how those blocked but clicked-to-play things like SVG images should be exposed to the user is happening in #22785.

comment:11 Changed 2 years ago by cypherpunks

Click-to-play for SVG sounds like a wealth of fingerprinting potential. What if some user whitelists only some SVG while another makes a blanket SVG-whitelist for the domain?

comment:12 Changed 20 months ago by dmr

Cc: dmr added
Note: See TracTickets for help on using tickets.