Open Bug 1693745 Opened 4 years ago Updated 9 months ago

Return a constant for UNMASKED_RENDERER_WEBGL and UNMASKED_VENDOR_WEBGL

Categories

(Core :: Graphics: CanvasWebGL, enhancement)

Product:
Core
Component:
Graphics: CanvasWebGL
Type:
enhancement

Tracking

()

People

(Reporter: hsivonen, Unassigned)

References

Details

UNMASKED_RENDERER_WEBGL allows fingerprinting by exact GPU. It's unclear to me, how much more unique the exact GPU name is compared to the combination of the exposed GPU capabilities, so it's unclear to me how much of a fingerprinting win it would be to hide the GPU name per se.

However, as seen in bug 1693534, the driver-provided string can contain information that's inappropriate to expose to the Web beyond the GPU name. Sanitizing the renderer strings in special cases while in general passing through what the driver says risks such a situation occurring again unless we watch changes in the driver-supplied strings very vigilantly.

WebKit (both Safari and Epiphany) return constants for UNMASKED_RENDERER_WEBGL and UNMASKED_VENDOR_WEBGL. We should consider doing the same. (However, since WebKit is behind Gecko and Chromium in WebGL, exposing the same values as WebKit does (Apple Inc. and Apple GPU) might result in a content downgrade.)

However, since WebKit is behind Gecko and Chromium in WebGL, exposing the same values as WebKit does (Apple Inc. and Apple GPU) might result in a content downgrade.

I wonder what would break if we always exposed Google Inc. as the vendor and, as renderer, exposed Google SwiftShader if we're on software rendering (really Microsoft Basic Render Driver or llvmpipe) and ANGLE (GPU) (where GPU is just those three letters) otherwise.

Bug 1217290: RFP returns

  • Vendor and Renderer as Mozilla
  • Unmasked Vendor and Unmasked Renderer as empty strings

If you're going to return one constant per OS, then it might be worthwhile cutting out the RFP code for those? pinging Tom :)

Flags: needinfo?(tom)

While we do expose OS in RFP via JS; I don't see a reason to change RFP unless we find it makes an improvement somewhere.

Flags: needinfo?(tom)

Title: Who Touched My Browser Fingerprint?: A Large-scale Measurement Study and Classification of Fingerprint Dynamics
URL: https://dl.acm.org/doi/10.1145/3419394.3423614
PDF: https://yinzhicao.org/fpmeasurement/imc20.pdf

3.1 Raw Dataset 7,246,618 fingerprints (page 3)
Table 1 (page 4) shows some insight into the static values' distinct results
- e.g. GPU Vendor: 26, GPU Renderer 5,747, GPU Type 4,943

I think this has been already implemented?
Because on my machine, I get different outputs from Mozilla as compared Chrome/Opera/Edge.

On Mozilla (and across different machines): "ANGLE (NVIDIA, NVIDIA GeForce GTX 980 Direct3D11 vs_5_0 ps_5_0), or similar"
On other browsers: "ANGLE (NVIDIA, NVIDIA GeForce RTX 2080 Ti (0x00001E07) Direct3D11 vs_5_0 ps_5_0, D3D11)"

Prerak, see Bug 1715690

You need to log in before you can comment on or make changes to this bug.