Opened 13 months ago

Last modified 13 months ago

#24234 new defect

Setting your security slider to "high" breaks Twitter

Reported by: mrphs Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: UX
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by mrphs)

I just realized twitter doesn't load properly when the security slider is set to "high". I was trying to figure out what triggers this but I also realized there's no apparent way to find out what things were blocked by the security slider. Addons like NoScript, Privacy Badger or any ad blocker basically have this option where they show you what elements were blocked so you could investigate if there's a problem and manually whitelist them, but I find out it's not as easy with the security slider.

Attached is a screenshot of how it looks.

The workaround is to lower the security to medium.

setting slider to high security breaks twitter

Child Tickets

Attachments (2)

high-security-twitter.png (124.0 KB) - added by mrphs 13 months ago.
setting slider to high security breaks twitter
security-settings changed.png (70.1 KB) - added by mrphs 13 months ago.

Download all attachments as: .zip

Change History (9)

Changed 13 months ago by mrphs

Attachment: high-security-twitter.png added

setting slider to high security breaks twitter

comment:1 Changed 13 months ago by mrphs

Description: modified (diff)

comment:2 Changed 13 months ago by arma

Looks a lot like #24190.

comment:3 in reply to:  2 Changed 13 months ago by mrphs

Replying to arma:

Looks a lot like #24190.

Ha! setting svg.in-content.enabled to true does indeed fix the problem. Though I don't know why the person who reported it closed the ticket. How does the Tor Browser team feel about this? Should we encourage people to change their browser settings? In my opinion that kind of seems contrary with why we have the security slider.

Changed 13 months ago by mrphs

comment:4 Changed 13 months ago by mrphs

It seems like the current UI righteously discourages people from making any changes in their security settings.


comment:5 Changed 13 months ago by arma

I think youtube is broken at the high setting, for the same "it now uses svg" reason?

It sounds like longterm we either tell people that high security is a setting that these sites chose to be broken on... or we reduce security features from the high security setting every time a major site starts using something that it had disabled... or we go to the major sites and tell them to stop using scary web functionality... any other options? :)

comment:6 in reply to:  5 Changed 13 months ago by cypherpunks

Replying to arma:

I think youtube is broken at the high setting, for the same "it now uses svg" reason?

It sounds like longterm we either tell people that high security is a setting that these sites chose to be broken on... or we reduce security features from the high security setting every time a major site starts using something that it had disabled... or we go to the major sites and tell them to stop using scary web functionality... any other options? :)

Or we use these type of tricks: for example if you have a YouTube url like https://www.youtube.com/watch?v=JWII85UlzKw then replace the www.youtube.com/watch?v= part with hooktube.com/embed/ resulting in https://hooktube.com/embed/JWII85UlzKw which definitely works with High security setting.

I'm not aware of any simple way to get the URL in the first place, but one can use Searx instances and disabling all except the Youtube engine in the video search preferences, and then type https://searx.riseup.net/?q=webrender&categories=videos (sometimes search query fails and one has to repeat the search).

Last edited 13 months ago by cypherpunks (previous) (diff)

comment:7 in reply to:  4 Changed 13 months ago by cypherpunks

Last edited 13 months ago by cypherpunks (previous) (diff)
Note: See TracTickets for help on using tickets.