When both CanvasRandomization/WebGLRandomization and EfficientRandomize RFPTargets are used, some randomization code does not run.
Categories
(Core :: Privacy: Anti-Tracking, defect)
Tracking
()
People
(Reporter: any1here, Assigned: any1here)
References
Details
Attachments
(1 file)
Steps to reproduce:
Set ETP to Strict, then visit https://arkenfox.github.io/TZP/tests/canvasnoise.html and https://browserleaks.com/webgl.
Actual results:
getImageData is not being randomized on https://arkenfox.github.io/TZP/tests/canvasnoise.html.
WebGL image hash is not being randomized on https://browserleaks.com/webgl.
Expected results:
getImageData and WebGL image hash should show randomized values.
Wasn't sure which version to use, so I used the earliest one where this regression occurred.
The regression was introduced with https://phabricator.services.mozilla.com/D267099 when ImageExtractionResult started returning ImageExtraction::EfficientRandomize, which prevents it from running the code that guards the randomization behind ImageExtraction::Randomize without providing an alternative.
Updated•4 months ago
|
Updated•4 months ago
|
Comment 3•4 months ago
|
||
I will review this, but am currently on leave, so it might take me a bit to find the time.
(In reply to Tom Ritter [:tjr] from comment #3)
I will review this, but am currently on leave, so it might take me a bit to find the time.
Is there anything still blocking this?
Comment 5•1 month ago
|
||
I know this is a straightforward patch, but the impact of this change will be to re-introduce visible image artifacts to a subset of canvas extractions. One of the reasons we changed approaches was that we could avoid this (Bug 1876149, Bug 1882761, Bug 1905884) while retaining protection against most fingerprinters. We have telemetry that lets us keep an eye on if/when/how fingerprinters are adapting their scripts, and before I land this change I would want us to review the telemetry and ensure the webcompat regression is justified.
Priority-wise for the next month and a half-ish, I'm focused on finishing the data analysis from the fingerprinting dataset we collected before it expires (see Bug 2043367 for the types of things we're doing there.) I am hoping to onboard more people to the fingerprinting project to manage rollouts of more protections and monitor metrics like these though.
Description
•