Open Bug 1676028 Opened 5 months ago Updated 5 months ago

privacy.resistFingerprinting breaks the import of images from the clipboard

Categories

(Core :: DOM: Editor, defect, P5)

Firefox 83
defect

Tracking

()

UNCONFIRMED

People

(Reporter: valery, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(3 files)

Attached image Post.png

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

  1. Copy any image to the clipboard (Windows).
    2a. Insert it when writing a message in the built-in messenger of the VK social network (https://vk.com)
    2b. Insert it when writing a post in my profile.

Actual results:

The image is distorted (in various ways, see screenshots) and does not contain the source image.

Expected results:

The image is imported from the clipboard correctly, as it happens when adding an image from a file.

(As additional information. Similar distortions of images when displayed in Firefox can be seen in other cases, but I think that they will be fixed automatically with this bug, since distortions are similar).

Attached image Messenger.png
Attached image Source.png

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0

Hi,

If the issue is still reproducible on your end, can you please retest this using the latest Nightly build (https://nightly.mozilla.org/) and report back the results? When doing this, please use a new clean Firefox profile (https://goo.gl/AWo6h8) to eliminate custom settings as a possible cause.

Thanks for the report.

Flags: needinfo?(valery)

I did as you advised and installed the latest latest Nightly build. The problem was not reproduced.

I went back to beta 83. It turned out that the problem arises with the enabled function of prohibiting the used data from the images HTML5 Canvas. If these protections are disabled, the problem is not reproduced.

Can this be considered a bug or is it currently a feature that needs to be described in the documentation?

Flags: needinfo?(valery)

I think it is not a bug, but to be sure, I will move this over to a component so developers can take a look over it. If this is not the correct component please feel free to change it to an appropriate one.
Thanks for your collaboration.

Component: Untriaged → Canvas: 2D
Product: Firefox → Core
Component: Canvas: 2D → General
Product: Core → Firefox

I don't think this is a Core bug. This is a bug for this protection, which, as far as I understand, is now in testing mode:
https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting
Disabling this protection does not cause the problem. If you turn it on, it arises.
I use this function in test mode and I think that such cases can be passed to the developers of this function.
However, I did not see the corresponding component in the list.
But this is definitely not the Core, this is functionality specifically Firefox.

Moving to DOM: Editor, can that group triage from here?

Component: General → DOM: Editor
Product: Firefox → Core

I tried creating an account but VK never sends a confirmation code. Mirko, could you try this as you have been working on clipboard?

Flags: needinfo?(mbrodesser)
Flags: needinfo?(mbrodesser)
Flags: needinfo?(mbrodesser)

Tom, are we interested in individual canvas breakage? Can you block it on the right bug if yes? :)

Thanks!

Flags: needinfo?(tom)

Valery: thanks for reporting the issue. I couldn't reproduce it by using another website, which includes some <canvas> and some <img>s: https://www.w3schools.com/html/html5_canvas.asp. However, I tried it with Ubuntu 18.04 with beta 84 (not 83). Does the issue still occur for you with beta 84? If so, a smaller reproduction scenario would be helpful, ideally not requiring any registration.

Flags: needinfo?(mbrodesser) → needinfo?(valery)

This is expected behavior when you enable the privacy.resistFingerprinting (RFP) preference. You don't need to retest it.

The site in question is reading something from a canvas, and RFP returns random data to prevent fingerprinting.

If you're blocked by this behavior, or don't know what RFP is, you should disable that preference - it's not intended for general use.

Flags: needinfo?(tom)

Do I understand correctly that in this case Firefoh protects me from collecting fingerprints from the social network? If so, then I understand the meaning. If my understanding is correct, then this bug should probably be closed. Perhaps I will contact the support of a social network about this. I understand the meaning of the RFP. I just wanted to see if it worked correctly. If this behavior is defensive, then it's cool.

And yes, this behavior has been observed, according to my observations, from the moment I turned on the RFP (a number of releases ago, when this protection was announced).

Perhaps it will be useful for marketing to understand the situation in more detail and give the described case as an example of protecting users from the incorrect behavior of social networks.

Have a good weekend!

Flags: needinfo?(valery)

RFP is something we developed in conjunction with and upstreamed from Tor Browser. The are the primary consumers of it. Enabling RFP in Firefox may make you less fingerprintable, but its protections are not complete - for example font protections are not fully in place, although we are exploring some work there. And your IP address will still leak unless you use e.g. Firefox VPN. So we don't recommend it for general use, but we do expose about:config because we believe in User Agency :)

I could close it, but we like to keep these around because in the future if we try to improve behavior of the canvas stuff, we like to have test cases to experiment with to see if we've improved the user experience.

Severity: -- → S4
Priority: -- → P5
Summary: Incorrect import of images to the VK social network from the clipboard → privacy.resistFingerprinting breaks the import of images from the clipboard
You need to log in before you can comment on or make changes to this bug.