What are the security expectations / boundaries of the autoplay policy
11 views
Skip to first unread message
Hanno Böck
Oct 6, 2017, 1:15:58 PM10/6/17
to securi...@chromium.org
Hi,
According to this [1] and several news reports Chrome plans to limit
autoplay videos in future versions.
I assume the autoplay policy option (chrome://flags/#autoplay-policy)
is an opt-in preview of that feature (?).
I wonder if Chrome has any security expectations about this feature.
Particularly I have the following questions:
1. Would it be considered a security vulnerability if a webpage that
does not meet the criteria defined by the policy is able to still
autoplay videos and bypass the policy?
2. Would webpages that actively try to bypass the policy be considered
malicious pages and e.g. added to google's safe browsing block list?
[1]
https://developers.google.com/web/updates/2017/09/autoplay-policy-changes
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
According to this [1] and several news reports Chrome plans to limit
autoplay videos in future versions.
I assume the autoplay policy option (chrome://flags/#autoplay-policy)
is an opt-in preview of that feature (?).
I wonder if Chrome has any security expectations about this feature.
Particularly I have the following questions:
1. Would it be considered a security vulnerability if a webpage that
does not meet the criteria defined by the policy is able to still
autoplay videos and bypass the policy?
2. Would webpages that actively try to bypass the policy be considered
malicious pages and e.g. added to google's safe browsing block list?
[1]
https://developers.google.com/web/updates/2017/09/autoplay-policy-changes
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Eric Lawrence
Oct 6, 2017, 1:22:33 PM10/6/17
to Hanno Böck, Security-dev
No, I do not believe there's any security guarantee surrounding autoplay.
I think it's unlikely that such pages would be blocked by SafeBrowsing unless they were engaged in other behaviors (social engineering, malware distribution, etc).
-Eric
Hanno Böck
Oct 6, 2017, 1:41:46 PM10/6/17
to Eric Lawrence, Security-dev
On Fri, 6 Oct 2017 12:22:01 -0500
Eric Lawrence <elaw...@google.com> wrote:
> No, I do not believe there's any security guarantee surrounding
> autoplay.
>
> We know from past experience that webpages can bypass autoplay
> restrictions by, for instance, decoding video frames and JavaScript
> and blitting them to a canvas.
>
> I think it's unlikely that such pages would be blocked by SafeBrowsing
> unless they were engaged in other behaviors (social engineering,
> malware distribution, etc).
I think that's an unfortunate answer and makes me much less excited
Eric Lawrence <elaw...@google.com> wrote:
> No, I do not believe there's any security guarantee surrounding
> autoplay.
>
> We know from past experience that webpages can bypass autoplay
> restrictions by, for instance, decoding video frames and JavaScript
> and blitting them to a canvas.
>
> I think it's unlikely that such pages would be blocked by SafeBrowsing
> unless they were engaged in other behaviors (social engineering,
> malware distribution, etc).
about that feature than I originally was.
Doesn't that mean that the autoplay policy is more or less useless?
I interpret your words in a way that webpages intending to autoplay
videos can continue to do so without any consequences.
Chris Palmer
Oct 6, 2017, 1:44:36 PM10/6/17
to Eric Lawrence, Hanno Böck, Security-dev
On Fri, Oct 6, 2017 at 10:22 AM, 'Eric Lawrence' via Security-dev <securi...@chromium.org> wrote:
No, I do not believe there's any security guarantee surrounding autoplay.
I agree; see generally https://chromium.googlesource.com/chromium/src/+/master/docs/security/severity-guidelines.md. I don't see any severity category that autoplaying would fit into. I'd say it's abuse, more so than exploitation of a vulnerability. Not that we like abuse either...
We know from past experience that webpages can bypass autoplay restrictions by, for instance, decoding video frames and JavaScript and blitting them to a canvas.I think it's unlikely that such pages would be blocked by SafeBrowsing unless they were engaged in other behaviors (social engineering, malware distribution, etc).
One can imagine that a tab that's running that hot might be subject to other interventions, however.
Reply all
Reply to author
Forward
0 new messages