Closed Bug 1863439 Opened 11 months ago Closed 2 months ago

RFP ignores solid-color canvas randomizing exception

Categories

(Core :: Privacy: Anti-Tracking, defect, P3)

Firefox 121
defect

Tracking

()

RESOLVED WONTFIX
Tracking Status
firefox121 --- affected

People

(Reporter: thorin, Assigned: fkilic)

Details

(Whiteboard: [fpp:m8])

Attachments

(1 file)

Bug 1852541 provided a solution to not randomize canvas if it was a solid color (rgba). This works for FPP but not RFP

test: https://arkenfox.github.io/TZP/tests/canvasnoise.html

control

  • disable RFP
  • normal window
    • expected: green matches
  • private window (FPP)
    • expected: red hashes and result is [cached]
    • check "use a solid color" and click re-run: expected: green matches

test

  • enable RFP
  • in any window
    • expected: red hashes and result is [per-execution]
    • check "use a solid color" and click re-run
      • expected: green matches
      • got: red hashes etc
Flags: needinfo?(tom)

I looked at the code but could not figure out why this is happening... Might need to throw a bunch of debug statements around.

Flags: needinfo?(tom)
Whiteboard: [fpp:m8]
Severity: -- → S3
Priority: -- → P3

This patch extracts previous AllPixelsMatch lambda to its own public function. AllPixelsMatch is then used to check if the canvas is only a solid color before returning a placeholder or a randomized canvas.

Assignee: nobody → fkilic
Status: NEW → ASSIGNED

So before we do this, can we confirm that a repeated 1 x 1 px canvas (and therefore guaranteed a single color) with repeated calls where the "element" in it is moved each time to plot a full canvas, is not feasible? e.g. the letter a since it has lots of curves in it. Draw that positioned at 0,0 and measure, then 0,1 and measure etc

Flags: needinfo?(richard)

(In reply to Thorin [:thorin] from comment #3)

So before we do this, can we confirm that a repeated 1 x 1 px canvas (and therefore guaranteed a single color) with repeated calls where the "element" in it is moved each time to plot a full canvas, is not feasible? e.g. the letter a since it has lots of curves in it. Draw that positioned at 0,0 and measure, then 0,1 and measure etc

Hmm I think this is a workaround for this protection. We only check if the canvas size is more than 1x1 (I said canvas size but I'm not sure if we are using the canvas size or the size passed to getImageData call, if it is the latter then the situation is possibly even worse). I can't think of a way to protect against this except for software rendering, but my knowledge around the browser and the canvas API is still very little. I'll try to write some tests for the cases you mentioned and see if this workaround is possible. (I'm almost pretty sure drawing at 0,1 then 0,2 should be a valid workaround, I want to see if getImageData with 1 pixel calls is also a workaround)

Yeah it looks like there is a workaround https://codepen.io/fklc/pen/MWMeqXq. Even with +AllTargets or resistfingerprinting, you get non-zero pixels and they are not randomized

I think it makes more sense to track this in another bug though. I created a new bug 1909476

Do we want to land this though? The current implementation of solid color check prevents this protection workaround. It is a bug but also a feature I guess?

OK, so my thoughts are RFP does not want this as it is an exploit that can compromise a user's fingerprint. I've pinged richard, lets see what they say.

FPP has a different threat model, and I think the universal solid color canvas exception needs a rethink - make it a per site remote override so it's not universal. Can't believe meet caused this :)

Edit: and I totally realize that I opened the issue :)

Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Flags: needinfo?(morgan)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: