Opened 7 months ago

Last modified 7 months ago

#33000 new defect

Click-to-play does not work on embedded videos on the blog in safer mode

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: noscript
Cc: ma1 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by gk)

As reported on the blog being on medium sevurity level and trying to get the videos on our 2019 campaign wrap-up to play does not work.

This is with NoScript 11.0.12.

Child Tickets

Change History (5)

comment:1 Changed 7 months ago by gk

Description: modified (diff)

comment:2 Changed 7 months ago by sysrqb

Cc: ma1 added

This is reproducible on Standard by disabling Noscript's media capability for Default.

Hi ma1, is this a known bug? I don't see any obvious open issues for it. It's an embedded third-party iframe from youtube. Media cap is disabled. The video element shows the play button. After clicking the element so the video begins, Noscript shows click-to-play. After clicking the element again, Noscript prompts for allowing media. After allowing media the video shows a spinning animation and then returns to showing the play element.

https://blog.torproject.org/2019-campaign-wrapup-tor-take-back-the-internet

and reproducible here: https://www.w3schools.com/html/tryit.asp?filename=tryhtml_youtubeiframe

comment:3 Changed 7 months ago by ma1

It seems to be an unintended (?) consequence of "Cascade top document's restrictions to subdocuments", which is enabled by default in the Tor Browser, but not in vanilla NoScript, which is probably the reason why this had not been reported yet.

I'm not sure how you prefer to deal with this (one way might be ignoring cascaded restrictions for CUSTOM rules), but maybe a finer granularity of the restriction cascades as described at the beginning of https://trac.torproject.org/projects/tor/ticket/30570#comment:19 would allow you to choose the best answer for your needs.

comment:4 in reply to:  3 Changed 7 months ago by sysrqb

Replying to ma1:

It seems to be an unintended (?) consequence of "Cascade top document's restrictions to subdocuments", which is enabled by default in the Tor Browser, but not in vanilla NoScript, which is probably the reason why this had not been reported yet.

Ah ha! Yes, it seems to be. In addition, youtube is trusted by default, so that would hide this issue from most users, too.

I'm not sure how you prefer to deal with this (one way might be ignoring cascaded restrictions for CUSTOM rules), but maybe a finer granularity of the restriction cascades as described at the beginning of https://trac.torproject.org/projects/tor/ticket/30570#comment:19 would allow you to choose the best answer for your needs.

I think ignoring the cascaded restrictions for CUSTOM rules is the expected behavior in this situation. However, rules are created for the url or origin of the document itself, including embedded documents, so custom rules are used for a third-party resource across different first-party sites. This is a problem for Tor Browser. In addition to #30570, (maybe as another option) would it be possible to create the policy key using both the "emedded sitekey or origin" and something like window.top.origin? I'm not sure if first-party isolation with respect to per-site capabilities was previously discussed.

comment:5 Changed 7 months ago by cypherpunks

This was reported in blog comments much earlier, 2 months ago in November 2019. See the following thread. Its OP talks about https://invidio.us/ (Invidious), but its replies talk about third-party embedded videos on any site. https://blog.torproject.org/comment/285311#comment-285311

The official onion of Invidious was reported not working with click-to-play 7 months ago in June 2019: #30993. Related to all of these is #22985, "Can we simplify and clarify click-to-play of audio/video?"

Note: See TracTickets for help on using tickets.