Make SVG click-to-play and support fallback

Currently TBB uses the worst option: entirely disabled. Even no white rectangle on a white background. It's not fair that videos have CTP, but images haven't. NoScript is most suitable now for this feature.

added component::applications/tor browser owner::tbb-team priority::medium severity::normal status::new tbb-usability type::defect ux-team labels

#20359 (moved) was closed as a duplicate, but that ticket mentioned MathML as well as SVG. Do we have a separate ticket for MathML click-to-play? If not, I guess we should create one.

Trac:
Cc: N/A to brade, mcs

You too dunno how to deal with gk's bugtracker...

See: #20807 (moved) which might help us thinking about how to implement that (if we do it at all).

make a per domain block, like MSE videos was now.

block per elements will still break the page.

Trac:
Username: i139

will be it available before the next release?

Trac:
Username: i139

this can be useful for make some patch https://addons.mozilla.org/en-US/firefox/addon/image-video-block/

Trac:
Username: x101010

Plus we could support the <picture> element to fallback to a different format if advertised. This is the idea of #21060 (moved).

Trac:
Keywords: noscript deleted, N/A added
Summary: Make SVG click-to-play to Make SVG click-to-play and support fallback
Cc: brade, mcs to brade, mcs, dcf

It's important to remember though that putting this in the domain of NoScript and making it click-to-play makes bypasses easier. Isn't it also a little silly to consider making SVG click-to-play shortly after a SVG vulnerability was used by the authorities against Tor Browse users, and shortly after a NoScript click-to-play bug was fixed (I think it was fixed at least) which caused videos to play for a split second even when they were disabled? It just seems shortsighted to me.

There are already NoScript bypasses for JavaScript in the wild and being hoarded, so at the very least, I'd like to see the ability to completely disable SVG on the highest security setting, without having to resort to disabling it in about:config and potentially increasing the risk of fingerprinting.

#23554 (moved) is a duplicate.

For posterity parts of arma's original description:

Especially now that youtube has decided that svg is the way of the future,
 we should figure out a more usable way for people to retain most of their
 security while still loading youtube if they want.

 Options that come to mind:

 A) Build our own per-tag toggle interface for the svg blocker.

 B) Ask noscript to learn how to block svg, and then use its existing per-
 tab toggle interface to let you configure your svg hopes.

 C) Finish thinking about the "per-tab security slider settings" idea, and
 decide to move forward with it.

 (Idea came from discussions with Nima and Nicolas.)

As I said in that ticket C) is essentially #21034 (moved) which is probably not going to fly.

Trac:
Cc: brade, mcs, dcf to brade, mcs, dcf, arma, mrphs, linda
Keywords: N/A deleted, ux-team added

FWIW: the discussion about how those blocked but clicked-to-play things like SVG images should be exposed to the user is happening in #22785 (moved).

Click-to-play for SVG sounds like a wealth of fingerprinting potential. What if some user whitelists only some SVG while another makes a blanket SVG-whitelist for the domain?

Trac:
Cc: brade, mcs, dcf, arma, mrphs, linda to brade, mcs, dcf, arma, mrphs, linda, dmr

mentioned in issue #20359 (moved)

mentioned in issue #21060 (moved)

mentioned in issue #22785 (moved)

mentioned in issue #23363 (moved)

mentioned in issue #23554 (moved)

moved to tpo/applications/tor-browser#20314