Open Bug 1428033 Opened 3 years ago Updated 8 months ago

Apply Resist Fingerprinting Protection to WebGL


(Core :: Canvas: WebGL, enhancement, P5)




Tracking Status
firefox59 --- affected


(Reporter: tjr, Unassigned)


(Blocks 1 open bug)


(Whiteboard: [fingerprinting][gfx-noted][fp-triaged])

Tor sets the following to mitigate (prevent?) fingerprinting with WebGL:

> pref("webgl.min_capability_mode", true);
> pref("webgl.disable-extensions", true);
> pref("webgl.disable-fail-if-major-performance-caveat", true);
> pref("webgl.enable-webgl2", false);

We should dig into these prefs and figure out if we need to 'set' them (really we would just treat them as 'true') for Resist Fingerprinting Mode. 

Tor does not need us to get this into ESR60, but it is a hole in FF's RFP mode.
may be relevant:

- webgl.dxgl.enabled (added in FF51, I think it is Windows specific only)
- webgl.enable-debug-renderer-info - see Bug 1171228 <-- this should be a RFP setting IMO, default is true, which AFAIK can leak info such as hardware and drivers etc to websites such as youtube

Maybe "disable webgl.enable-debug-renderer-info when RFP=true" should be another ticket
> webgl.dxgl.enabled
This isn't relevant.

> webgl.enable-debug-renderer-info
IIRC this is already turned off on in tor's builds. Adding it to fingerprinting resistance makes sense.
This does give users a potentially degraded experience, though. There is no free lunch here.
Instead of just turning things off, we should canonize something like:

This reduces the number of bits to 2, which is probably fine, while preserving the vast majority of abilities.

Does that sound reasonable?
Flags: needinfo?(tom)
Priority: -- → P3
Whiteboard: fingerprinting → fingerprinting gfx-noted
Sounds okay at first glance, I'm going to clear ni until we dig into this one further though.
Flags: needinfo?(tom)
also see Bug 1337157 - maybe close that as a duplicate of this
Priority: P3 → P5
Whiteboard: fingerprinting gfx-noted → [fingerprinting][gfx-noted][fp-triaged]
You need to log in before you can comment on or make changes to this bug.