1452391 - PNG favicons show up as white square when privacy.resistFingerprinting is enabled

Status: RESOLVED WONTFIX

(Core :: Graphics: Canvas2D, defect)

Description

[Yegor Timoshenko]

Attachment: Screenshot_2018-04-07_15-18-06.png

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20180323171851

Steps to reproduce:

1. Enable privacy.resistFingerprinting in about:config
2. Visit https://glowingbear.org/


Actual results:

Tab favicon looks like a white square.


Expected results:

Tab favicon should show Glowing Bear logo.

I can't reproduce this bug with disabled privacy.resistFingerprinting. I can only reproduce this issue on sites that use PNG favicons.

Comment 1

[Ciprian Muresan [:cmuresan], Ecosystem QA]

Build ID 	20180410220129
User Agent 	Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0


I was able to reproduce this on the latest Firefox release (59.0.2) and on the latest Nightly (61.0a1) on Windows 10, Mac 10.13.3 and Arch Linux. However it looks like turning "privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts" to false will make a doorhanger appear asking for permission to use the canvas. If allowed and the page refreshed, the favicon will appear.

@yegortimoshenko, is this a suitable solution for your issue? If not I could ask the Engineering team to weigh in.

Comment 2

[Yegor Timoshenko]

Nice! But that would be more of a workaround. It should be possible to view site's favicon without giving it permission to use canvas API. If PNG favicons are internally implemented as canvas, that is probably not exploitable externally (in terms of fingerprinting).

Comment 3

[Ciprian Muresan [:cmuresan], Ecosystem QA]

13:29.18 INFO: Last good revision: 6796e53fa9e386fd1709ddb2fd45eb74ab4e7b77
13:29.19 INFO: First bad revision: 11d5208791fed061fdeb0e0ecd031dbcf676bf12
13:29.19 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6796e53fa9e386fd1709ddb2fd45eb74ab4e7b77&tochange=11d5208791fed061fdeb0e0ecd031dbcf676bf12

It seems that bug 967895 has caused this.

Since :cfu's account is disabled, @johannh or @jrmuizel could you please weigh in on this?

Comment 4

[Andrew Overholt [:overholt]]

Thanks for the report and for tracking this down! I don't think we'll have a 59 dot release for this issue so I'm marking 59 as wontfix.

Comment 5

[Johann Hofmann [:johannh]]

I'm pretty sure that website is creating its favicon using canvas with a library such as http://blog.tommoor.com/tinycon/ or http://lab.ejci.net/favico.js/. That is blocked as expected.

Comment 6

[Yegor Timoshenko]

Oh, you're most likely right! Sorry for misidentifying the problem. That said, perhaps showing default favicon instead of white square would be preferable from UI standpoint.

Comment 7

[Johann Hofmann [:johannh]]

(In reply to Yegor Timoshenko from comment #6)
> Oh, you're most likely right! Sorry for misidentifying the problem. That
> said, perhaps showing default favicon instead of white square would be
> preferable from UI standpoint.

The website doesn't "get" that we're sending it white noise instead of proper image data, so it will set that as the favicon. I don't think there's much we can do here :/