Extend canvas randomization permission test
Categories
(Core :: Privacy: Anti-Tracking, task, P1)
Tracking
()
People
(Reporter: fkilic, Assigned: fkilic)
References
(Blocks 2 open bugs, Regressed 1 open bug)
Details
Attachments
(6 files, 1 obsolete file)
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
33.53 KB,
image/png
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-esr140+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-esr140+
|
Details | Review |
100% reproducible.png
The goal of this bug is to investigate if granting canvas permission allows canvas reading without any randomization or placeholder value.
|
Assignee | |
Comment 1•1 year ago
|
||
|
|
Assignee | |
Comment 2•1 year ago
•
|
||
Okay so I just submitted a try, it should hopefully let us know if the granting permission actually works or not. https://treeherder.mozilla.org/jobs?repo=try&revision=a7f0676e0f2ab447464c4ce2b6a65c1e5033b130. Also do note the test doesn't cover offscreen canvas because right now offscreen canvas doesn't check for permission and it is a known issue.
|
||
Comment 3•1 year ago
|
||
Tor Browser hat ... now I'm worried RFP doesn't cover all methods of offscreen canvas?
|
|
Assignee | |
Comment 4•1 year ago
•
|
||
It does cover it (or at least my local testing shows it, by failing tests with permission granted, i.e. expects no randomization but still gets randomized value from offscreen canvas), but I just disabled them in the test because granting permission would still return placeholder/RFP random. So offscreen canvas returns random regardless of the permission state.
also here's the bug i mentioned https://bugzilla.mozilla.org/show_bug.cgi?id=1422862
|
||
Comment 6•1 year ago
|
||
| bugherder | ||
|
|
||
Comment 7•1 year ago
|
||
https://bugzilla.mozilla.org/show_bug.cgi?id=1896175#c7 still pertains - adding a test that doesn't seem to capture the issue hasn't solved the problem - do you want me to open another issue?
|
|
Assignee | |
Comment 8•1 year ago
|
||
Sure, but do you know what is missing from the test I wrote? We can create a new bug sure but if tzp and my test do the same thing then I don't really know we would move forward.
|
|
||
Comment 9•1 year ago
|
||
but do you know what is missing from the test I wrote?
Not really. I can't follow it TBH :) These are in effect known pixel tests, but where are the known values? I see true value as null for the five tests which doesn't make sense to me, but not my test.
Which leaves us at the point that a proven real world test on a live HTTPS site dedicated to these things, shows the issue still exists. I can't do any more than that. If we don't reopen (or open another issue), then nothing will change (and the issue isn't resolved). Of course, it is feasible that TZP is wrong, but it's not - you can see the hashes change - they are stable without any randomization and they change when FPP or RFP is used.
So, now what? Reopen is my suggestion so all info is in the same place. Ask for help/review.
|
|
Assignee | |
Comment 10•1 year ago
|
||
Sure let's reopen it. About the test, I replace nulls with actual values in add_setup. I put nulls as a placeholder.
|
|
Assignee | |
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 11•1 year ago
|
||
Okay so I was able reproduce the issue, and I have no idea why it might happen. If you set canvas's size, we get different values sometimes (not always). It tends to occur especially when the canvas size is small. So for example with a 100x100 canvas, it never happens, and for 10x10 it always happens, for 20x20 it happens sometimes. I have no idea what might cause this. AFAIK the only check RFP does about canvas size is whether it is bigger than 1x1 or not.
|
|
||
Comment 12•1 year ago
|
||
You'd have to step me thru your testing methodology for me to fully understand it (on irc at some stage). I did do a double take on the 3x1 canvas size, but ignored it in the meantime. TZP uses a set size with set known values - i.e we don't need to calculate them on the fly, but for here, we should, e.g. if png compression changes (as it has in the past) - see this for compression changes and for sizes and known results. This makes it easy to detect if it's protected or not. As for detecting RFP vs FPP that's more complicated. For you, it's easy - all three should differ: RFP/FPP/nothing (and you don't have to worry about extensions like I do)
|
|
Assignee | |
Comment 13•1 year ago
|
||
|
|
Assignee | |
Comment 14•1 year ago
•
|
||
Hmm okay so I changed the test to set the size to 3x1, and it fails. getImageData works but not toDataURL or toBlob (I believe both toDataURL and toBlob call the same codepath, but haven't confirmed it). My suspicion is https://searchfox.org/mozilla-central/rev/56fd3b43187bca036141c384b809e61d51a447de/dom/canvas/CanvasRenderingContext2D.cpp#2078 here we don't check for permission. I'll see if checking permission here fixes it at least for toDataURL.
|
|
Assignee | |
Comment 15•1 year ago
|
||
Yeah the issue seems to be that line. The problem is plumbing the principal all the way to there.
|
|
Assignee | |
Comment 16•1 year ago
|
||
canvas context has the principal but we would have to plumb it to all the overrides here https://searchfox.org/mozilla-central/search?q=symbol:_ZN33nsICanvasRenderingContextInternal14GetInputStreamEPKcRK12nsTSubstringIDsEPP14nsIInputStream&redirect=false. I'll try to fix it and see if it works.
|
|
Assignee | |
Comment 17•1 year ago
|
||
The patch that I'm currently working on builds on top of bug 1422862, so it is blocking. We can skip offscreen canvases if fixing this permission issue is really needed though.
|
|
Assignee | |
Comment 18•1 year ago
|
||
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 19•1 year ago
|
||
|
|
||
Comment 20•1 year ago
|
||
Comment on attachment 9434300 [details]
Bug 1918690: Implement IsImageExtractionAllowed_impl. r?tjr
Revision D227385 was moved to bug 1422862. Setting attachment 9434300 [details] to obsolete.
|
|
||
Comment 21•8 months ago
|
||
Where are we at - TB users are getting confused - https://forum.torproject.org/t/is-new-identity-enough-to-protect-me-as-i-never-allow-extract-canvas-data/17412/4
|
|
Assignee | |
Comment 22•8 months ago
|
||
We are still waiting for a review
|
|
||
Comment 23•8 months ago
|
||
OK, but fixing the test won't exactly fix the actual problem - it'll just tell you what I've been saying for months, since bug 1896175 landed :)
|
|
||
Comment 24•8 months ago
|
||
FYI: in FF137
- normal window with ETP Standard: i.e FPP is not enabled
- RFP enabled
- site exception for RFP canvas
- we still get FPP being applied to
toBlobandtoDataURL
|
|
Assignee | |
Comment 25•8 months ago
|
||
(In reply to Thorin [:thorin] from comment #23)
Created attachment 9467039 [details]
100% reproducible.pngOK, but fixing the test won't exactly fix the actual problem - it'll just tell you what I've been saying for months, since bug 1896175 landed :)
Is this image with all the patches applied in https://phabricator.services.mozilla.com/D227385 ? The bug is named extend tests but we have 5 patches in that stack 4 of which aren't tests.
|
|
||
Comment 26•8 months ago
|
||
Is this image with all the patches applied in https://phabricator.services.mozilla.com/D227385
That image is actually Tor Browser. But tests using Nightly - Built from https://hg.mozilla.org/mozilla-central/rev/f47117ef97a7314f4c3d0f844b7c908b0c97038c - shows the same behavior
|
|
Assignee | |
Comment 27•8 months ago
|
||
Alright then I would say https://phabricator.services.mozilla.com/D222869 should be able to fix this, but it hasn't landed yet.
|
|
||
Comment 28•8 months ago
|
||
For the record: Bug 1910796 (landed 2 days ago) changes the compression - so if known pixel tests are relying on hashes they will fail
- TZP checks each pixel's rbga in
getImageDataand is not affected - TZP uses a known hash for
toBlobandtoDataURLand is affected- but never fear I am patching to allow for the new known hashes as I type
|
|
||
Updated•6 months ago
|
|
|
||
Comment 29•5 months ago
|
||
The following patch is waiting for review from an inactive reviewer:
| ID | Title | Author | Reviewer Status |
|---|---|---|---|
| D222869 | Bug 1918690: Check canvas permission in RandomizePixels function. r?tjr | fkilic | jgilbert: Disabled |
:fkilic, could you please find another reviewer or abandon the patch if it is no longer relevant?
For more information, please visit BugBot documentation.
|
||
Comment 31•4 months ago
|
||
|
||
Comment 32•4 months ago
|
||
Backed out for causing bc failures @ browser_etp_permission.js
|
|
||
Comment 34•4 months ago
|
||
|
||
Comment 35•4 months ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/c64ad97247b7
https://hg.mozilla.org/mozilla-central/rev/81e871035004
https://hg.mozilla.org/mozilla-central/rev/59801de9e2c8
https://hg.mozilla.org/mozilla-central/rev/1e26b83dce12
|
|
Assignee | |
Comment 36•4 months ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D222869
|
|
||
Updated•4 months ago
|
|
|
Assignee | |
Comment 37•4 months ago
|
||
Previously this test didn't test for offscreen canvses. After all the previous patches in this stack, we can now enable offscreen canvas permission tests.
We are basically removing if (isOffscreen) continue; logic
Original Revision: https://phabricator.services.mozilla.com/D222838
|
|
||
Updated•4 months ago
|
|
||
Comment 38•4 months ago
|
||
To be clear, we are requesting uplift to put this into ESR for Tor. It affects he behavior of Resist Fingerprinting, but not for supported FF users. It doesn't need to be uplifted, but given that it's been stable for us and doesn't change the functionality of ESR we thought we'd ask.
|
||
Updated•3 months ago
|
|
|
||
Updated•3 months ago
|
|
|
||
Updated•3 months ago
|
|
||
Updated•3 months ago
|
|
|
||
Comment 39•3 months ago
|
||
| uplift | ||
|
||
Updated•3 months ago
|
Description
•