Firefox: Thumbnails generated with canvas are random data when privacy.resistFingerPrinting and canvas access is enabled #23936
Comments
|
It seems that other canvas using sites handle canvas access properly, like this site: https://browserleaks.com/canvas I think this must be an element bug. |
turt2live
added
X-Regression
S-Minor
|
hello! I reproduced the same issue on my end. FYI the uploaded images are not actually broken once opened, it's just the thumbnails; since user avatars are also rendered correctly I can confidently say canvas permission in Firefox is working fine. |
User avatars aren't rendered using canvases though? They're just straight up |
|
I didn't express myself well at all here, sorry. everything I said above applies to the case in which canvas permission has been allowed to Element using Firefox's UI. I mentioned user avatars because before one allows canvas access their background looks striped, but after you allow it and reload the page it's a solid color.
is this also true for the auto-generated ones that are simply a letter + a solid color (eg. in this issue we have a blue background and a white letter K)? |
|
The auto-generated ones do indeed use canvas to generate the data uri for the |
Firefox users with `resistFingerprinting` enabled were seeing random noise for rooms and users without avatars. There's no real reason to use data URLs to present flat colors. This converts non-image avatars to inline blocks with background colors. See element-hq/element-web#23936 Signed-off-by: Clark Fischer <clark.fischer@gmail.com>
Firefox users with `resistFingerprinting` enabled were seeing random noise for rooms and users without avatars. There's no real reason to use data URLs to present flat colors. This converts non-image avatars to inline blocks with background colors. See element-hq/element-web#23936 Signed-off-by: Clark Fischer <clark.fischer@gmail.com>
Firefox users with `resistFingerprinting` enabled were seeing random noise for rooms and users without avatars. There's no real reason to use data URLs to present flat colors. This converts non-image avatars to inline blocks with background colors. See element-hq/element-web#23936 Signed-off-by: Clark Fischer <clark.fischer@gmail.com>
|
Element's favicon also appears corrupted when
|
* Strict typechecking fixes for Base/Member/Avatar Update the core avatar files to pass `--strict --noImplicitAny` typechecks. Signed-off-by: Clark Fischer <clark.fischer@gmail.com> * Add tests for Base/Member/Avatar More thoroughly test the core avatar files. Not necessarily the most thorough, but an improvement. Signed-off-by: Clark Fischer <clark.fischer@gmail.com> * Extract TextAvatar from BaseAvatar Extracted the fallback/textual avatar into its own component. Signed-off-by: Clark Fischer <clark.fischer@gmail.com> * Use standard HTML for non-image avatars Firefox users with `resistFingerprinting` enabled were seeing random noise for rooms and users without avatars. There's no real reason to use data URLs to present flat colors. This converts non-image avatars to inline blocks with background colors. See element-hq/element-web#23936 Signed-off-by: Clark Fischer <clark.fischer@gmail.com> * Have pills use solid backgrounds rather than colored images Similar to room and member avatars, pills now use colored pseudo-elements rather than background images. Signed-off-by: Clark Fischer <clark.fischer@gmail.com> --------- Signed-off-by: Clark Fischer <clark.fischer@gmail.com> Co-authored-by: Andy Balaam <andy.balaam@matrix.org>
|
Default avatars in notifications will also be corrupted |
|
Okay, I had two days to investigate this issue further. It seems that RFP mode in Firefox doesn't trigger the "do you want to allow canvas access" for Whenever I use the As long as this is not fixed in Firefox (upstream from Librewolf), the off-screen-canvas thumbnail generation method won't work. Even worse, there is not an easy way of detecting if RFP is on, but juraj.maslar on the mozilla forums figured out a hacky way to do it: https://discourse.mozilla.org/t/how-to-detect-privacy-resistfingerprinting/111798/3 Using this method, it would be possible to fall back to the 'old' canvas creation method that works with RFP, until Firefox unfucks this. I'll attach a quick playground to test this, cobbled together from the (to me very messy) element code, and report the bug to Mozilla, if there isn't any reported yet. Anyone want me to prepare a PR with a fix for this with the workaround linked above? |
|
Update, it seems there is a bug filed on this behavior already: |
Steps to reproduce
Hey,
Not sure this is a Firefox bug, or a bug in the way Element deals with locally generated thumbnails. Here's how to reproduce:
privacy.resistFingerprinting, and disableprivacy.resistFingerprinting.autoDeclineNoUserInputCanvasPromptsin firefox (so the canvas access request could be shown)My former related comment on a closed issue: #9605 (comment)
Outcome
What did you expect?
A thumbnail should have been generated properly.
What happened instead?
Random data shown as thumbs on all ends:
Operating system
Firefox with Linux, but I think it's OS independent
Browser information
Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0
URL for webapp
app.element.io
Application version
it's the latest element
Homeserver
doesn't matter, it's a client side issue
Will you send logs?
Yes
The text was updated successfully, but these errors were encountered: