Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CanvasBlocker doesn't work if privacy.resistFingerprinting = true #158

Closed
notDavid opened this issue Nov 22, 2017 · 8 comments
Closed

CanvasBlocker doesn't work if privacy.resistFingerprinting = true #158

notDavid opened this issue Nov 22, 2017 · 8 comments

Comments

@notDavid
Copy link

Fyi, it seems that in Firefox 58.0b5 if i set "privacy.resistFingerprinting = true" in about:config the canvas value is nolonger random - so the CanvasBlocker extension doesn't seem to work anymore. Tested at https://panopticlick.eff.org/

If i set it back to the default value "privacy.resistFingerprinting = false" CanvasBlocker works again.

https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/privacy/websites#Properties

@kkapsner
Copy link
Owner

Did you allow the canvas readout when Firefox asked you? CB will only do something if you allow it. Otherwise a generic white will be used.

@kkapsner
Copy link
Owner

kkapsner commented Dec 4, 2017

@Thorin-Oakenpants: you are right.
@notDavid: does it work if you allow the canvas?

@notDavid
Copy link
Author

notDavid commented Dec 4, 2017

@kkapsner Hi sorry for the late reply - i just tested again and indeed it works when i allow the readout.

Thanks for taking the time to explain :)

@notDavid notDavid closed this as completed Dec 4, 2017
@kkapsner
Copy link
Owner

kkapsner commented Dec 4, 2017

No problem - you're welcome. Thanks for rechecking.

@kkapsner
Copy link
Owner

kkapsner commented Dec 8, 2017

The link kind of makes sense - I just do not get why they prompt for isPointInPath but neither getImageData nor readPixels...

offscreen canvas should not be too common for usual applications. But for example the fingerprinting on https://www.browserleaks.com/canvas is offscreen.

PS: With the next version you will have even more options than a white listing. You can then specify the block mode specific for one site.

@tomrittervg
Copy link

Hey all, I'm a Mozilla person working on this. Despite Bug 1422890, we believe all those APIs are correctly spoofed (they provide fake data) unless the permission is granted.

We do prompt for getImageData. I'm investigating readPixels - I think in Tor Browser WebGL is click to play and that's why it's not addressed in our solution so in FF this may be a problem...

OffscreenCanvas is not enabled in Firefox yet; if you turn it on by flipping a pref we do not apply fingerprinting resistance to it.

I appreciate the investigation, if you have any other comments/concerns about this type of stuff in Firefox, feel free to reach out to me! https://ritter.vg/contact.html

@ToddServo
Copy link

ToddServo commented Jun 24, 2019

I am here because I accidentally doubled up on canvas fingerprint detection... double negative it seems.
I added some changes to my prefs.js and it paralyzed this addon. Mozilla's resistFingerprinting does little to spoof anything, and is useless alongside this addon.
user_pref("privacy.resistFingerprinting", true);

So if anyone else is here because pyllyukko/user.js#468 crippled CanvasBlocker... here's your fix.
THANKS!

@kkapsner
Copy link
Owner

I'm not sure what you mean by "paralyzed". If I enable RFP everything works as expected. Is there anything to fix?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants