Open Bug 1747674 Opened 3 years ago Updated 3 years ago

Resist Fingerprinting (RFP) breaks jigsaw-puzzle-type CAPTCHAs

Categories

(Core :: Privacy: Anti-Tracking, defect, P3)

Product:
Core
Component:
Privacy: Anti-Tracking
Version:
Firefox 91
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: Elijah, Unassigned)

Details

Attachments

(1 file)

jigsaw-puzzle-CAPTCHA disrupted by RFP
129.72 KB, image/png
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0

Steps to reproduce:

Visit a site that uses a jigsaw-puzzle-type CAPTCHA to verify user is human. e.g. https://angel.com/twitch/jobs (or any company's site on AngelList. Twitch is just the first one I clicked.)

ATTEMPTED TROUBLESHOOTING

  1. Disabling privacy.resistFingerprinting in About:Config is a workaround.
  2. Inspecting the CAPTCHA frame's source suggests that content is loaded from .captcha-delivery.com and .datadome.co subdomains; HOWEVER, setting the value of privacy.resistFingerprinting.exemptedDomains to ".captcha-delivery.com|.datadome.co" in About:Config DOES NOT resolve the issue. Perhaps there's a different value for this preference that will resolve the bug, but I wasn't able to find it.

Actual results:

The background "puzzle" of the CAPTCHA is not shown correctly, presumably from some canvas interaction. (see attached screenshot)

Expected results:

The CAPTCHA should have loaded normally and been simple for the typical human user to complete.

The Bugbug bot thinks this bug should belong to the 'Core::Privacy: Anti-Tracking' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Privacy: Anti-Tracking
Product: Firefox → Core
Severity: -- → S3
Priority: -- → P3

P.S. I'm fairly confident this bug is caused by FRP blocking canvas data. When RFP is disabled but CanvasBlocker (a Mozilla Recommended add-on is installed), CanvasBlocker has settings that allow blocking of canvas data WITH whitelisting of captcha frames, and the jigsaw puzzle captcha is allowed to display as expected.

While you could change the canvas-blocking aspect of RFP to likewise whitelist captcha frames, I believe the existence of this bug is yet another point in favor of bug 1401440. Many problems would be much easier for users AND developers to solve if RFP were simply split into multiple, more granular preferences. (In this scenario, canvas blocking would be its own pref, so users would have the option to leave it False and install CanvasBlocker instead)

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: