#26613 closed defect (fixed)
audit or disable Apple HLS implementation on Android
Reported by: | mcs | Owned by: | tbb-team |
---|---|---|---|
Priority: | High | Milestone: | |
Component: | Applications/Tor Browser | Version: | |
Severity: | Normal | Keywords: | tbb-mobile, ff60-esr, TorBrowserTeam201807 |
Cc: | arthuredelstein, igt0 | Actual Points: | |
Parent ID: | Points: | ||
Reviewer: | Sponsor: | Sponsor8 |
Description
As of Firefox 59, Apple's HTTPS Live Streaming (HLS) protocol is supported on Android for both audio and video. We should audit this or at least look at how it is implemented, and possible disable it. Mozilla says: "There is not currently any plan to implement it on Firefox Desktop." See:
Child Tickets
Change History (8)
comment:1 Changed 8 months ago by
Cc: | arthuredelstein added |
---|
comment:2 Changed 8 months ago by
Cc: | igt0 added |
---|---|
Status: | new → needs_information |
comment:4 Changed 8 months ago by
Priority: | Immediate → High |
---|
comment:5 Changed 8 months ago by
When looking the code I looked for:
- proxy bypasses: the browser implementation uses just the http implementation and it has a proxy bypass, this one is fixed, we just need to backport to FF60.
- disk avoidance: I wanted to make sure if the player stores any data in the disk and it does, however, it stores the data in the app internal cache using the android context.getCacheDir method. The internal cache can not be accessed by other apps and it has a short life span.
- fingerprinting: I looked for locale and screen size leaks, and the HLS implementation doesn't leak them. All the text and video selections happen in the app side. The browser doesn't send any data to the server.
So I would say yes we can enable it.
comment:6 Changed 8 months ago by
Resolution: | → fixed |
---|---|
Status: | needs_information → closed |
Great, so we are done here.
comment:7 Changed 4 months ago by
Sponsor: | → Sponsor8 |
---|
Note: See
TracTickets for help on using
tickets.
It seems there are already proxy bypasses found in this implementation, see: #26028. igt0: do you think we should keep this enabled with your fix or is there more that's an issue?