(Security bypass) WebGL runs on the Safer security level in some situations
I think I've accidentally discovered a WebGL bypass in Tor Browser. It allows running WebGL code even if the security level is set "Safer". I can't find a minimal way to reproduce it 100% of the time, but these steps seem to work:
- Set the security level to Safer.
- Upload some file to https://wormhole.app/.
- Copy the download link that it creates onto a paste website like https://bpa.st/.
- Highlight the plaintext link with your cursor, right-click, and click "Open link in new tab".
Expected behavior: The website loads with a click-to-play option for WebGL.
Actual behavior: A distracting Doctor Who-esque WebGL-powered swirling wormhole animation plays in the background. This does NOT happen if the link is opened any other way (such as being pasted into the URL bar or clicked as hyperlink) or if webgl.disabled is set to true in about:config.
This doesn't always happen, and it doesn't seem to happen with any other WebGL-enabled sites that I've seen, but the fact that it ever happens when WebGL is disabled via the security level is a problem. It also only seems to happen when opening a download link in a new tab and can't be triggered on the front page.
I can do a screen recording of myself triggering the issue if it is necessary.