Closed Bug 1452391 Opened Last year Closed Last year

PNG favicons show up as white square when privacy.resistFingerprinting is enabled

Categories

(Core :: Canvas: 2D, defect)

59 Branch
defect
Not set

Tracking

()

RESOLVED WONTFIX
Tracking Status
firefox-esr52 --- unaffected
firefox59 --- wontfix
firefox60 --- affected
firefox61 --- affected

People

(Reporter: yegortimoshenko, Unassigned)

References

Details

(Keywords: regression, Whiteboard: [fingerprinting-breakage])

Attachments

(1 file)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20180323171851

Steps to reproduce:

1. Enable privacy.resistFingerprinting in about:config
2. Visit https://glowingbear.org/


Actual results:

Tab favicon looks like a white square.


Expected results:

Tab favicon should show Glowing Bear logo.

I can't reproduce this bug with disabled privacy.resistFingerprinting. I can only reproduce this issue on sites that use PNG favicons.
Build ID 	20180410220129
User Agent 	Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0


I was able to reproduce this on the latest Firefox release (59.0.2) and on the latest Nightly (61.0a1) on Windows 10, Mac 10.13.3 and Arch Linux. However it looks like turning "privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts" to false will make a doorhanger appear asking for permission to use the canvas. If allowed and the page refreshed, the favicon will appear.

@yegortimoshenko, is this a suitable solution for your issue? If not I could ask the Engineering team to weigh in.
Flags: needinfo?(yegortimoshenko)
Nice! But that would be more of a workaround. It should be possible to view site's favicon without giving it permission to use canvas API. If PNG favicons are internally implemented as canvas, that is probably not exploitable externally (in terms of fingerprinting).
Flags: needinfo?(yegortimoshenko)
13:29.18 INFO: Last good revision: 6796e53fa9e386fd1709ddb2fd45eb74ab4e7b77
13:29.19 INFO: First bad revision: 11d5208791fed061fdeb0e0ecd031dbcf676bf12
13:29.19 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6796e53fa9e386fd1709ddb2fd45eb74ab4e7b77&tochange=11d5208791fed061fdeb0e0ecd031dbcf676bf12

It seems that bug 967895 has caused this.

Since :cfu's account is disabled, @johannh or @jrmuizel could you please weigh in on this?
Flags: needinfo?(jmuizelaar)
Flags: needinfo?(jhofmann)
Blocks: 967895
Status: UNCONFIRMED → NEW
Component: Untriaged → Canvas: 2D
Ever confirmed: true
Keywords: regression
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All
Thanks for the report and for tracking this down! I don't think we'll have a 59 dot release for this issue so I'm marking 59 as wontfix.
I'm pretty sure that website is creating its favicon using canvas with a library such as http://blog.tommoor.com/tinycon/ or http://lab.ejci.net/favico.js/. That is blocked as expected.
Status: NEW → RESOLVED
Closed: Last year
Flags: needinfo?(jmuizelaar)
Flags: needinfo?(jhofmann)
Resolution: --- → WONTFIX
Whiteboard: [fingerprinting-breakage]
Oh, you're most likely right! Sorry for misidentifying the problem. That said, perhaps showing default favicon instead of white square would be preferable from UI standpoint.
(In reply to Yegor Timoshenko from comment #6)
> Oh, you're most likely right! Sorry for misidentifying the problem. That
> said, perhaps showing default favicon instead of white square would be
> preferable from UI standpoint.

The website doesn't "get" that we're sending it white noise instead of proper image data, so it will set that as the favicon. I don't think there's much we can do here :/
You need to log in before you can comment on or make changes to this bug.