Closed Bug 1914728 Opened 6 months ago Closed 6 months ago

Websites such as Amazon, Youtube are bypassing `media.autoplay.default=2`

Categories

(Core :: Audio/Video: Playback, enhancement)

Product:
Core
Component:
Audio/Video: Playback
Version:
Firefox 131
Platform:
All
Android
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1681603

People

(Reporter: 2002luvabbaluvu, Unassigned)

Details

Attachments

(2 files)

autoplay.media.default=2.png
90.07 KB, image/png
Details
Settings, Site permissions, Autoplay, Block.png
122.19 KB, image/png
Details

Steps to reproduce:

Goto chrome://geckoview/content/config.xhtml,
set media.autoplay.default=2,
goto https://www.youtube.com/@Nyanners or https://www.amazon.com/gp/product/B0D4Q1HW27

Actual results:

It autoplays (the unexpected -- after autoplay is "disabled" -- flashing lights pose danger to those suffering from epilepsy.)

Expected results:

"Autoplay" is locked-down

Have not just use about:config; used Settings to block too.

Caught Amazon bypassing ( https://www.amazon.com/gp/product/B0D4Q1HW27 ) this.
Caught Youtube bypassing ( https://www.youtube.com/@Nyanners ) this.
As such bypassing can harm lots of Fenix users, have set this as a security issue ( but it is a known vulnerability on desktop Firefox; https://bugzilla.mozilla.org/show_bug.cgi?id=1681603 )

Group: mobile-core-security → media-core-security
Component: Browser Engine → Audio/Video: Playback
Product: Fenix → Core

I'm not sure this is a security issue. If somebody really wants to cause your screen to blink, there are a lot more ways to do it besides a video.

Summary: Websites such as Amazon, Youtube are bypassing `media.autoplay.default=2". Consumer protection bureaus refuse to address this. Wish Fenix enforces lockdown → Websites such as Amazon, Youtube are bypassing `media.autoplay.default=2"

(In reply to Andrew McCreight [:mccr8] from comment #3)

I'm not sure this is a security issue. If somebody really wants to cause your screen to blink, there are a lot more ways to do it besides a video.

The bypassing of ` is not just an epilepsy risk.

Summary: Websites such as Amazon, Youtube are bypassing `media.autoplay.default=2" → Websites such as Amazon, Youtube are bypassing `media.autoplay.default=2`

What are the other security risks you see in bypassing this?

Flags: needinfo?(2002luvabbaluvu)

(In reply to Andrew McCreight [:mccr8] from comment #5)

What are the other security risks you see in bypassing this?

The cybercrime described above can also be abused to cause audiogenic seizures, even if the video is not viewed; https://www.orpha.net/en/disease/detail/166415

Flags: needinfo?(2002luvabbaluvu)

The fix for both is chrome://geckoview/content/config.xhtml -> javascript.enabled=false

This is shared "gecko" functionality; there is nothing android specific here

Group: media-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 6 months ago
Duplicate of bug: autoplay-block-bypass
Resolution: --- → DUPLICATE

Desktop Firefox has lots of extensions which can solve this, which Fennec Firefox can not use.

This is not solved.

The closest to a workaround is chrome://geckoview/content/config.xhtml 's media.autoplay.blocking_policy=2

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: