Open Bug 2013976 Opened 5 months ago Updated 1 month ago

When both CanvasRandomization/WebGLRandomization and EfficientRandomize RFPTargets are used, some randomization code does not run.

Categories

(Core :: Privacy: Anti-Tracking, defect)

Firefox 145
defect

Tracking

()

ASSIGNED

People

(Reporter: any1here, Assigned: any1here)

References

Details

Attachments

(1 file)

Steps to reproduce:

Set ETP to Strict, then visit https://arkenfox.github.io/TZP/tests/canvasnoise.html and https://browserleaks.com/webgl.

Actual results:

getImageData is not being randomized on https://arkenfox.github.io/TZP/tests/canvasnoise.html.
WebGL image hash is not being randomized on https://browserleaks.com/webgl.

Expected results:

getImageData and WebGL image hash should show randomized values.

Wasn't sure which version to use, so I used the earliest one where this regression occurred.

The regression was introduced with https://phabricator.services.mozilla.com/D267099 when ImageExtractionResult started returning ImageExtraction::EfficientRandomize, which prevents it from running the code that guards the randomization behind ImageExtraction::Randomize without providing an alternative.

Summary: When both CanvasRandomization and EfficientRandomize RFPTargets are used, some randomization code does not run. → When both CanvasRandomization/WebGLRandomization and EfficientRandomize RFPTargets are used, some randomization code does not run.
Attachment #9541896 - Attachment description: Bug 2013976 - Ensure randomization code runs when both CanvasRandomization and EfficientCanvasRandomization RFPTargets are enabled → Bug 2013976 - Ensure randomization code runs when both CanvasRandomization/WebGLRandomization and EfficientCanvasRandomization RFPTargets are enabled
Flags: needinfo?(tihuang)
Assignee: nobody → any1here
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(tihuang)

I will review this, but am currently on leave, so it might take me a bit to find the time.

Flags: needinfo?(tom)
Depends on: 2022615

(In reply to Tom Ritter [:tjr] from comment #3)

I will review this, but am currently on leave, so it might take me a bit to find the time.

Is there anything still blocking this?

I know this is a straightforward patch, but the impact of this change will be to re-introduce visible image artifacts to a subset of canvas extractions. One of the reasons we changed approaches was that we could avoid this (Bug 1876149, Bug 1882761, Bug 1905884) while retaining protection against most fingerprinters. We have telemetry that lets us keep an eye on if/when/how fingerprinters are adapting their scripts, and before I land this change I would want us to review the telemetry and ensure the webcompat regression is justified.

Priority-wise for the next month and a half-ish, I'm focused on finishing the data analysis from the fingerprinting dataset we collected before it expires (see Bug 2043367 for the types of things we're doing there.) I am hoping to onboard more people to the fingerprinting project to manage rollouts of more protections and monitor metrics like these though.

Flags: needinfo?(tom)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: