Opened 3 years ago
Last modified 3 years ago
#24479 new defect
NoScript shouldn't block local HTML5 video and audio files when security slider is set to safer or safest
| Reported by: | cypherpunks | Owned by: | tbb-team |
|---|---|---|---|
| Priority: | Medium | Milestone: | |
| Component: | Applications/Tor Browser | Version: | |
| Severity: | Normal | Keywords: | |
| Cc: | Actual Points: | ||
| Parent ID: | Points: | ||
| Reviewer: | Sponsor: |
Description
NoScript shouldn't block local HTML5 video and audio files when security slider is set to medium or high
Child Tickets
Change History (5)
comment:1 follow-up: 3 Changed 3 years ago by
comment:3 Changed 3 years ago by
Replying to irl:
HTML 5 video/audio means parsing untrusted data through a complicated decoding algorithm that may have vulnerabilities, which is why this restriction is in place on Medium/High security levels.
The ticket is about local files only, meaning that they're trusted and this restriction should probably not be in place.
comment:4 Changed 3 years ago by
| Summary: | NoScript shouldn't block local HTML5 video and audio files when security slider is set to medium or high → NoScript shouldn't block local HTML5 video and audio files when security slider is set to safer or safest |
|---|
comment:5 Changed 3 years ago by
mcs says in #24421:
Another idea came to me while I was doing something else: maybe there are actually two copies of the NoScript code running, and *that* is causing problems. A quick
dump()added to the end of NoScript's Main.js shows it is being loaded twice, but I am not sure if that is by design or not.
could that be related to how when loading local media files in TB with Medium-High security setting, not only is the media instantly played, but there's in addition a click-to-play?
Are they blocked or are they "click to play"? HTML 5 video/audio means parsing untrusted data through a complicated decoding algorithm that may have vulnerabilities, which is why this restriction is in place on Medium/High security levels.