(In reply to jeff.roedel.isp from comment #7)
I'm no browser export, but what about just disabling the "privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts" functionality after a file upload?
That's equivalent to what's being discussed, but on a per-site basis. The protection the fingerprinting canvas prompt affords shouldn't be turned off on other pages.
The real problem here is that the user isn't notified of the blockage. Once notified, it's trivial to allow the page Canvas access via the Dialog box and re-upload the image.
There should already be an icon appearing in the location bar (to the left of the URL) when this happens. I just tested and this happens for me. You can click to see this doorhanger to allow permissions and then re-upload - it's probably quite subtle though...
(In reply to Tom Ritter [:tjr] (OOTO until 5/1?) from comment #6)
(In reply to :Gijs (he/him) from comment #5)
Can we give implied per-document permission to scraping a canvas to which the site draws an image that comes from a
File object? AIUI it can't get a valid file object without the user giving it one, and at that point it should be allowed access to the image data without jumping through more hoops.
I think this is a good idea. I'll cc Matt in; but leave Arthur's ni in case he wants to add an opinion.
Implementation-wise - I'm not sure how to build what you described. How would we know if the image that is drawn came from a File upload? Tracking that data seems infeasible.
Well, we track what we put on the canvas for tainting purposes (ie if cross-origin data is written, the canvas is marked tainted). So presumably when
drawImage is called, we know something about the origin of the image. Naively, it would seem possible to pass through where that data came from in the file upload case, too.
However, if the user uploads a file from their computer to a website, I would consider that to be an action that imparts trust in the website; and take that mere action as granting permission to read data from any/all canvases on the page.
This would be simpler and probably work just as well, yes.