Open Bug 1552786 Opened 6 years ago Updated 2 years ago

Don't trigger a resistFingerprinting warning if contents of a canvas nothing has been drawn to is retrieved

Categories

(Core :: Graphics: Canvas2D, enhancement, P5)

68 Branch
enhancement

Tracking

()

UNCONFIRMED

People

(Reporter: kolan_n, Unassigned)

Details

(Whiteboard: [fingerprinting])

User Agent: Mozilla/5.0 (Android 6.0; Mobile; rv:59.0) Gecko/20100101 Firefox/59.0

Steps to reproduce:

document.createElement("canvas").getBlob() // I saw this code in the wild used for being tested for presence of the API

Actual results:

Blocked and RFP warning.

Expected results:

The browser should remember that the canvas is empty. Empty canvases are safe to expose. I guess there should be a list of operations it is safe to apply without creating a fingerprinting vector. For example filling all the canvas with a 100% opaque rectangle matching exactly its size should be safe and should wipe all the fingerprintable information.

Even more - taint checking can be introduced. Though I personally don't think it is impossible to bypass it, but ...

there can be more than 2 modes
0 no checking, no blocking (equivalent to privacy.resistFingerprinting = false)
1 taint checking (the default one)
2 less taint checking, more blocking and faking
3 even more blocking and faking
4 block/fake everything (equivalent to privacy.resistFingerprinting = true)

Type: defect → enhancement
Component: Untriaged → Tracking Protection
Whiteboard: [fingerprinting]
Component: Tracking Protection → Canvas: 2D
Product: Firefox → Core

Any opinions on these warnings?

Flags: needinfo?(amarchesini)
Priority: -- → P3

We could do this; but it isn't a priority right now.

Flags: needinfo?(amarchesini)
Priority: P3 → P5

It's not high priority if it doesn't create web-compact issues. I guess it doesn't. Great if Tom has time to work on it.

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.