[tor-bugs] #7265 [Firefox Patch Issues]: Only display Canvas message for first parties; simply log third parties
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Aug 20 01:08:14 UTC 2014
#7265: Only display Canvas message for first parties; simply log third parties
-------------------------------------+-------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: enhancement | Status: needs_review
Priority: major | Milestone:
Component: Firefox Patch | Version:
Issues | Keywords: tbb-fingerprinting,
Resolution: | tbb-bounty, TorBrowserTeam201408,
Actual Points: | MikePerry201408R
Points: | Parent ID:
-------------------------------------+-------------------------------------
Comment (by isis):
Replying to [comment:19 isis]:
> I've tested it, and I think it still needs revision, as
{{{firstPartySpec.get()}}} and {{{docSpec.get()}}} always seem to produce
the ''same'' value (at least in the ~10 websites I tested). I know that
some of these are third party scripts trying to access the canvas, and
others are possibly third party sourced into the first party's domain,
others are first party... meaning that this patch as it stands is unable
to detect the difference, and users are still shown the HTML5 canvas
permissions popup.
I fiddled with this over the weekend, trying to produce some C++ object
which would tell me the location of the script which triggered the HTML5
canvas data access popup, and I produced a nasty thing that casts to a
`nsJSPrinciple`... in the end it produced the same URIs as
`firstPartySpec.get()` and `docSpec.get()`.
I don't know my way around Firefox's crazy C++ yet. Please halp?!?!
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7265#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list