With RFP, a granted Canvas Permission still applies FPP's randomization
Categories
(Core :: Privacy: Anti-Tracking, defect, P3)
Tracking
()
People
(Reporter: tjr, Assigned: fkilic)
References
(Blocks 1 open bug)
Details
(Whiteboard: [fpp:m?])
Attachments
(3 files)
test.png
As noted on the tor bugtracker - if you have RFP enabled, and grant a site canvas permission - it will still apply FPP's randomization. It should not.
|
||
Updated•5 months ago
|
|
Assignee | |
Comment 1•3 months ago
|
||
|
||
Updated•3 months ago
|
|
||
Comment 3•2 months ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 4•2 months ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D218882
|
|
||
Updated•2 months ago
|
|
|
||
Comment 5•2 months ago
|
||
esr128 Uplift Approval Request
- User impact if declined: This patch improves the fingerprinting prevention/privacy of the users. We want to uplift this patch so that the privacy targeted browsers (e.g. Tor, Mullvad) can receive the updates. No big impact if declined.
- Code covered by automated testing: yes
- Fix verified in Nightly: yes
- Needs manual QE test: no
- Steps to reproduce for manual QE testing: Enable privacy.resistFingerprinting, visit https://arkenfox.github.io/TZP/tests/canvasnoise.html, grant canvas reading permissions, and verify 1st and 2nd read hashes match with the control hash
- Risk associated with taking this patch: I can't think of anything really. It has been a while since we landed this patch and we haven't seen any crashes.
- Explanation of risk level: Possibly none
- String changes made/needed: No
- Is Android affected?: yes
|
||
Updated•1 month ago
|
|
|
||
Updated•1 month ago
|
|
||
Updated•1 month ago
|
|
||
Comment 7•1 month ago
|
||
This also doesn't work as expected - I am only testing getImageData, toBlob, and toDataURL - so not sure about offscreenCanvas etc
see image of FF132 nightly
- https://arkenfox.github.io/TZP/tzp.html#canvas
- top FPP - all good
- middle RFP - all good
- bottom RFP with a RFP canvas exception - toBlob and toDataURL (non solid) are still FPP'd
|
|
Assignee | |
Comment 8•1 month ago
|
||
just to make sure that I understand it correctly, toDataURL and toBlob is applying randomization right? I'm going to assume that those functions are not checking for the permission.
|
|
Assignee | |
Comment 9•1 month ago
|
||
so not sure about offscreenCanvas etc
Also about offscreen canvas, we no nothing, there's no permission check, it always returns placeholder
|
|
||
Comment 10•1 month ago
|
||
long story short - if the notation is green, it's protected (randomized), if it's red it isn't (expected known value)
In a nutshell ... TZP is using known pixel tests. getImageData is randomized per section run (and the data stored for comparison), the others are hardcoded (and their hashes known). The tests (getImageData, isPoint*, toDataURL, toBlob etc) do a first pass (reading). For each one, if it returns the expected result then it displays that otherwise it will do a second pass (read) to determine if the change is persistent (like FPP) or per execution (like RFP). There are more checks for RFP compliance and some extra entropy is added about getImageData (at this point just the channels changed - I also display the % of pixels altered for each but do not record it in the fingerprint - this is called fingerprinting the fingerprint protection!)
offscreen canvas
My understanding is the FPP and RFP do protect this. If not then it's a gaping hole in FPP canvas protection. Check with tjr. I think there are also some other areas where canvas things are FPP protected - ? GetImageBuffer and GetInputStream ?
IDK what placeholder means
|
|
Assignee | |
Comment 11•1 month ago
|
||
Hmm my testing shows that permission granting works. I created bug 1918690, we can continue there.
Description
•