Closed
Bug 1452391
Opened 7 years ago
Closed 7 years ago
PNG favicons show up as white square when privacy.resistFingerprinting is enabled
Categories
(Core :: Graphics: Canvas2D, defect)
Tracking
()
RESOLVED
WONTFIX
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox59 | --- | wontfix |
firefox60 | --- | affected |
firefox61 | --- | affected |
People
(Reporter: yegortimoshenko, Unassigned)
References
Details
(Keywords: regression, Whiteboard: [fingerprinting-breakage])
Attachments
(1 file)
13.39 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20180323171851
Steps to reproduce:
1. Enable privacy.resistFingerprinting in about:config
2. Visit https://glowingbear.org/
Actual results:
Tab favicon looks like a white square.
Expected results:
Tab favicon should show Glowing Bear logo.
I can't reproduce this bug with disabled privacy.resistFingerprinting. I can only reproduce this issue on sites that use PNG favicons.
Comment 1•7 years ago
|
||
Build ID 20180410220129
User Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
I was able to reproduce this on the latest Firefox release (59.0.2) and on the latest Nightly (61.0a1) on Windows 10, Mac 10.13.3 and Arch Linux. However it looks like turning "privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts" to false will make a doorhanger appear asking for permission to use the canvas. If allowed and the page refreshed, the favicon will appear.
@yegortimoshenko, is this a suitable solution for your issue? If not I could ask the Engineering team to weigh in.
Flags: needinfo?(yegortimoshenko)
Reporter | ||
Comment 2•7 years ago
|
||
Nice! But that would be more of a workaround. It should be possible to view site's favicon without giving it permission to use canvas API. If PNG favicons are internally implemented as canvas, that is probably not exploitable externally (in terms of fingerprinting).
Flags: needinfo?(yegortimoshenko)
Comment 3•7 years ago
|
||
13:29.18 INFO: Last good revision: 6796e53fa9e386fd1709ddb2fd45eb74ab4e7b77
13:29.19 INFO: First bad revision: 11d5208791fed061fdeb0e0ecd031dbcf676bf12
13:29.19 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6796e53fa9e386fd1709ddb2fd45eb74ab4e7b77&tochange=11d5208791fed061fdeb0e0ecd031dbcf676bf12
It seems that bug 967895 has caused this.
Since :cfu's account is disabled, @johannh or @jrmuizel could you please weigh in on this?
Flags: needinfo?(jmuizelaar)
Flags: needinfo?(jhofmann)
Updated•7 years ago
|
Blocks: 967895
Status: UNCONFIRMED → NEW
status-firefox59:
--- → affected
status-firefox60:
--- → affected
status-firefox61:
--- → affected
status-firefox-esr52:
--- → unaffected
Component: Untriaged → Canvas: 2D
Ever confirmed: true
Keywords: regression
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All
Comment 4•7 years ago
|
||
Thanks for the report and for tracking this down! I don't think we'll have a 59 dot release for this issue so I'm marking 59 as wontfix.
Comment 5•7 years ago
|
||
I'm pretty sure that website is creating its favicon using canvas with a library such as http://blog.tommoor.com/tinycon/ or http://lab.ejci.net/favico.js/. That is blocked as expected.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(jmuizelaar)
Flags: needinfo?(jhofmann)
Resolution: --- → WONTFIX
Updated•7 years ago
|
Whiteboard: [fingerprinting-breakage]
Reporter | ||
Comment 6•7 years ago
|
||
Oh, you're most likely right! Sorry for misidentifying the problem. That said, perhaps showing default favicon instead of white square would be preferable from UI standpoint.
Comment 7•7 years ago
|
||
(In reply to Yegor Timoshenko from comment #6)
> Oh, you're most likely right! Sorry for misidentifying the problem. That
> said, perhaps showing default favicon instead of white square would be
> preferable from UI standpoint.
The website doesn't "get" that we're sending it white noise instead of proper image data, so it will set that as the favicon. I don't think there's much we can do here :/
You need to log in
before you can comment on or make changes to this bug.
Description
•