Opened 11 months ago
Last modified 11 months ago
#24234 new defect
Setting your security slider to "high" breaks Twitter
| Reported by: | mrphs | Owned by: | tbb-team |
|---|---|---|---|
| Priority: | Medium | Milestone: | |
| Component: | Applications/Tor Browser | Version: | |
| Severity: | Normal | Keywords: | UX |
| Cc: | Actual Points: | ||
| Parent ID: | Points: | ||
| Reviewer: | Sponsor: |
Description (last modified by )
I just realized twitter doesn't load properly when the security slider is set to "high". I was trying to figure out what triggers this but I also realized there's no apparent way to find out what things were blocked by the security slider. Addons like NoScript, Privacy Badger or any ad blocker basically have this option where they show you what elements were blocked so you could investigate if there's a problem and manually whitelist them, but I find out it's not as easy with the security slider.
Attached is a screenshot of how it looks.
The workaround is to lower the security to medium.
Child Tickets
Attachments (2)
Change History (9)
Changed 11 months ago by
| Attachment: | high-security-twitter.png added |
|---|
comment:1 Changed 11 months ago by
| Description: | modified (diff) |
|---|
comment:3 Changed 11 months ago by
Replying to arma:
Looks a lot like #24190.
Ha! setting svg.in-content.enabled to true does indeed fix the problem. Though I don't know why the person who reported it closed the ticket. How does the Tor Browser team feel about this? Should we encourage people to change their browser settings? In my opinion that kind of seems contrary with why we have the security slider.
Changed 11 months ago by
| Attachment: | security-settings changed.png added |
|---|
comment:4 follow-up: 7 Changed 11 months ago by
It seems like the current UI righteously discourages people from making any changes in their security settings.
comment:5 follow-up: 6 Changed 11 months ago by
I think youtube is broken at the high setting, for the same "it now uses svg" reason?
It sounds like longterm we either tell people that high security is a setting that these sites chose to be broken on... or we reduce security features from the high security setting every time a major site starts using something that it had disabled... or we go to the major sites and tell them to stop using scary web functionality... any other options? :)
comment:6 Changed 11 months ago by
Replying to arma:
I think youtube is broken at the high setting, for the same "it now uses svg" reason?
It sounds like longterm we either tell people that high security is a setting that these sites chose to be broken on... or we reduce security features from the high security setting every time a major site starts using something that it had disabled... or we go to the major sites and tell them to stop using scary web functionality... any other options? :)
Or we use these type of tricks: for example if you have a YouTube url like https://www.youtube.com/watch?v=JWII85UlzKw then replace the www.youtube.com/watch?v= part with hooktube.com/embed/ resulting in https://hooktube.com/embed/JWII85UlzKw which definitely works with High security setting.
I'm not aware of any simple way to get the URL in the first place, but one can use Searx instances and disabling all except the Youtube engine in the video search preferences, and then type https://searx.riseup.net/?q=webrender&categories=videos (sometimes search query fails and one has to repeat the search).
setting slider to high security breaks twitter