#18782: media tab in Page Info can bypass NoScript on Linux if gstreamer is used -------------------------+-------------------------- Reporter: cypherpunks | Owner: tbb-team Type: defect | Status: assigned Priority: Very High | Milestone: Component: Tor Browser | Version: Severity: Critical | Resolution: Keywords: | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: -------------------------+-------------------------- Changes (by gk):
* status: needs_information => assigned Comment: Replying to [comment:15 cypherpunks]: > So fundamentally, the expected behaviour is not to leak data? To obey the security slider? To start shipping TBB with media.gstreamer.enabled set to false, or incorporating that setting into the slider? > > Do you even know if gstreamer has been leaking this whole time and should be removed as an option until upstream passes an audit? > > - If you can determine gstreamer isn't leaky (meaning outside the Tor network) then media.gstreamer.enabled should become part of what the security slider controls > - if you cannot determine anything about gstreamer's network activity conclusively (?) then it should be removed from interaction from TBB completely See #13020 for the network activity. The sole reason I was asking about the expected behavior was that there are a bunch of possible ways to deal with this issue and I certainly don't want to pick one users are unhappy about as this would result in follow-up bugs leading to extra work. And FWIW Tor Browser based on ESR45 won't have this problem anymore as Mozilla is not using gstreamer anymore. We'll start shipping that in roughly 10 days with the next alpha. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18782#comment:18> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs