Canvas Fingerprinting Protections do not apply to Service Workers
Categories
(Core :: DOM: Service Workers, defect, P3)
Tracking
()
People
(Reporter: Joe, Unassigned)
References
Details
(Whiteboard: [fpp:m?])
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
Steps to reproduce:
- Enter a Private Window or set Enhanced Tracking Protection to Strict.
- Visit https://abrahamjuliot.github.io/fpworker/
- Compare hashes of canvas values.
Actual results:
Service Worker hash values are the same as they are as when not in a Private Window or with Enhanced Tracking Protection set to Standard, allowing tracking via these values.
Expected results:
Canvas hash values should be consistent.
Reporter | ||
Comment 1•4 months ago
|
||
Also affects SharedWorkerGlobalScope as it seems.
Updated•4 months ago
|
Updated•4 months ago
|
Comment 2•4 months ago
|
||
Thanks Joe, I have a few similar issues to dig into. While this is a bypass of the privacy protection, I don't think it needs to be hidden.
Reporter | ||
Comment 3•4 months ago
|
||
(In reply to Tom Ritter [:tjr] from comment #2)
Thanks Joe, I have a few similar issues to dig into. While this is a bypass of the privacy protection, I don't think it needs to be hidden.
I thought so too, but better safe than sorry.
This issue, oddly, also affects Safari in the exact same way. I have a PoC that checks Safari's SharedWorker
but it doesn't seem to catch the bug in Firefox for some reason. It does, however, catch the bug in the script in my original post.
https://github.com/Joe12387/safari-canvas-fingerprinting-exploit
Comment 4•4 months ago
|
||
Note that the policy decisions are made when RemoteWorkerData is populated here for ServiceWorkers and here for SharedWorkers (which should be propagating the value sampled by the SharedWorker binding here) and then applied to the worker when spawned here. This diagram of the uses of WorkerPrivate::GetLoadInfo may also be useful.
This is probably a situation where a pernosco trace is probably a good starting point.
Comment 5•3 months ago
|
||
I can reproduce it in Nightly, and then I tested with a local build that included the patches from Bug 1878716 and this is resolved in it, so I'm going to dupe it to that issue.
If it doesn't get fixed when that lands please re-open or notify me.
Reporter | ||
Comment 6•13 days ago
|
||
Hello.
The Service Worker context still leaks in regular browsing when Strict protections are enabled as of 127.0.1: https://abrahamjuliot.github.io/fpworker/
Thanks.
Description
•