InformAction Forums

Hello!

Normally when I browse the internet I have NoScript set to block the <audio> and <video> elements on both - trusted and untrusted pages. It works fine because I can see that the click-to-activate mechanism is used. While attempting to watch a video (not so much listen to audio) I have to click the placeholder for a video to start playing. This is exactly what I want for audio/video. But there is this website where NoScript either ignores or simply isn't able to block the audio the same way.

hxxp://hex.frvr.com (replace ""xx" with "tt", stupid spam filter)

Any ideas why this is happening? Asking because of this and it has got me concerned since audio is not being blocked:
http://arstechnica.com/tech-policy/2015 ... let-and-pc

Best regards!

"Its time to kick ass and chew bubble gum, and Im all out of gum." is not the UA string of a supported browser
What OS and browser (& version) on which you see this?
What NS version?

There, created and tested it in a new FF profile after installing only NoScript from the addons search.
OS is Linux xubuntu, NS is v2.6.9.39, Browser is FF 42.0. Sounds/music still play on that website. Youtube videos get blocked with a click-to-play placeholder.

Confirmed.
(Sorry for the delay, that's a fun game )

The sounds are not <audio> elements, but MP3s fetched by XHR and somehow played entirely within JS... I'm not seeing how it's done and I've never tried to play audio from entirely within JS, so I'm not really sure what we're looking for.
However, note that this audio comes from a site you already trust, and that by default NoScript will block XHR to any 3rd-party site that isn't script-allowed (about:config > noscript.forbidXHR). So I don't think you need to be too concerned about it.

I got lost while poking through their Javascript. Seems like they're using these calls to control the audio:

Host.Sound.SetVolume(e, t)
Host.Sound.Play(e, e, a, o, t)
Host.Sound.Stop(e)
Host.Sound.Preload(i, i, t)

But I can't find any references to what window.Host or Host.Sound may be.

When I checked, window.Host was undefined, and Sound did not have any of the attributes you list in your post

Here's the code snippet where I found those calls: http://pastebin.com/0ffdJYZP
What tool do you use to inspect running javascript in Firefox?

EDIT: I wonder, if this code is even being used. In the web console I can't see any "Using SoundPlayer!" entries that this script was supposed (I assume) to generate.

Lurion wrote:What tool do you use to inspect running javascript in Firefox?

I usually use Firefox's devtools JS debugger when it comes to that, but in this case I was just reading the JS directly from source with some help from a local de-minifier.

Lurion wrote:In the web console I can't see any "Using SoundPlayer!" entries

Because that only happen if both window.Host and window.Host.Sound "booleanize" to true, which is not the case.

Yeah, I was wrong about that. It's the second part of the code that is being used.
Here is the documentation for the audio API that they are using:
https://developer.mozilla.org/en-US/doc ... dioContext

Nice find.

Do you think it's worth NoScript intercepting that API like a blocked object on whitelisted sites, for users that set "Apply these restrictions to whitelisted sites too" [for AUDIO/VIDEO]?

Well...

Personally I find the whitelist feature a bit confusing. I mean what really is a whitelist, how is it defined? While I browse the internet, I normally temporarily allow many websites for only that they can function. But that doesn't mean that I *trust* them, and I most definitely do not want them to be treated as such. It is for this exact reason that I had to enable that "Apply these restrictions to whitelisted sites too" option to prevent various things from loading just because I temporarily enabled javascript. This would include stuff like videos, audio, plugins, WebGL (can be used to assist browser fingerprinting), etc. I've set it up like this for security reasons, and I like having a bit more fine-grade control over what things I allow a website to load. The click-to-activate feature is most helpful here.

Regarding the audio/video thing, I think that this option was specifically meant to block the <audio> and <video> HTML tags. Perhaps a more appropriate choice would be to include a new category with some options to block various web API's like the AudioContext, but I wanna hear what Giorgio has to say about this. Since these things are normally javascript-controlled it means that the restrictions can currently be bypassed easily, and I have no way of selectively blocking them unless I leave the JS disabled completely (which will often break a website, as it does on the sample website I provided).

Also, remember that the website doesn't have to implement the code directly. A third-party server like an ad network can provide its own javascript to secretly play an ultrasound audio which in turn enables device tracking (see the link in first post).

Greetz,
~Lurion

Lurion wrote:I normally temporarily allow many websites for only that they can function. But that doesn't mean that I *trust* them, and I most definitely do not want them to be treated as such.

Then you have a problem, because you have allowed those sites to run JavaScript. If they are malicious, and they target a zero-day browser exploit, it's game over.

What kind of trust are you expecting to withhold?

I agree with what Thrawn is saying. If you don't trust them, you really should run their scripts in a disposable isolated VM or sandbox of some sort.
A few other points though.

Lurion wrote:Regarding the audio/video thing, I think that this option was specifically meant to block the <audio> and <video> HTML tags.

Yes, because those don't need webpage JS to play the audio/video.

Lurion wrote:Perhaps a more appropriate choice would be to include a new category with some options to block various web API's like the AudioContext, but I wanna hear what Giorgio has to say about this.

Actually, I wonder if you can block it with surrogate script? I'll send you a PM with more information later.

Lurion wrote:Also, remember that the website doesn't have to implement the code directly.

Actually yes it does for you, because...

Lurion wrote:A third-party server like an ad network can provide its own javascript to secretly play an ultrasound audio which in turn enables device tracking (see the link in first post).

... you are almost certainly not going to allow that third-party server's JS in NoScript. (also see above about XHR)

What am I missing that you think it's a concern?

Thrawn: I am aware of that, sadly. What I'm trying to do is to prevent websites from running plugins and certain parts of javascript while still allowing them to function. This includes blocking things like cookie access, dom storage, webapi (location services, webrtc, webgl, audio, etc), canvas and the like. I know it isn't perfect (*cough* browserspy.dk *cough*), but at least it's something, and I have a few addons that pop up warnings when javascript attempts to access certain things i.e. the canvas element.

barbaz: Thanks for the MP, I'll check out the code in a moment.

Please let me know, if I'm doing it wrong. When I visit a website that requires JS to operate I normally temporarily allow the root domain first. If that doesn't work (which in most cases doesn't), I start to progressively allow other domains starting with the most obvious ones i.e. those with words like "static" or "cdn" in them. Certain websites still refuse to work, and I have to allow more 3-rd party domains where some of them might be obscure ad networks. I've already blacklisted the obvious ones like addthis, doubleclick and google analytics. It's pretty much a trial and error here.

Some websites refuse to work even after I've completely allowed all scripts, and I have to do other stuff like enable DOM storage.
The shim storage addon comes handy here https://addons.mozilla.org/en-US/firefo ... e/?src=api