Don't trigger a resistFingerprinting warning if contents of a canvas nothing has been drawn to is retrieved
Categories
(Core :: Graphics: Canvas2D, enhancement, P5)
Tracking
()
People
(Reporter: kolan_n, Unassigned)
Details
(Whiteboard: [fingerprinting])
User Agent: Mozilla/5.0 (Android 6.0; Mobile; rv:59.0) Gecko/20100101 Firefox/59.0
Steps to reproduce:
document.createElement("canvas").getBlob() // I saw this code in the wild used for being tested for presence of the API
Actual results:
Blocked and RFP warning.
Expected results:
The browser should remember that the canvas is empty. Empty canvases are safe to expose. I guess there should be a list of operations it is safe to apply without creating a fingerprinting vector. For example filling all the canvas with a 100% opaque rectangle matching exactly its size should be safe and should wipe all the fingerprintable information.
Even more - taint checking can be introduced. Though I personally don't think it is impossible to bypass it, but ...
there can be more than 2 modes
0 no checking, no blocking (equivalent to privacy.resistFingerprinting = false)
1 taint checking (the default one)
2 less taint checking, more blocking and faking
3 even more blocking and faking
4 block/fake everything (equivalent to privacy.resistFingerprinting = true)
Updated•6 years ago
|
Updated•6 years ago
|
Comment 1•6 years ago
|
||
Any opinions on these warnings?
Comment 2•6 years ago
|
||
We could do this; but it isn't a priority right now.
Comment 3•6 years ago
|
||
It's not high priority if it doesn't create web-compact issues. I guess it doesn't. Great if Tom has time to work on it.
Updated•2 years ago
|
Description
•