[tor-bugs] #12684 [Firefox Patch Issues]: Make "Not Now" the default button for TorBrowser's canvas permission dialogue

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Aug 20 02:24:31 UTC 2014 

#12684: Make "Not Now" the default button for TorBrowser's canvas permission
dialogue
-------------------------------------+-------------------------------------
     Reporter:  isis                 |      Owner:  isis
         Type:  defect               |     Status:  needs_review
     Priority:  critical             |  Milestone:
    Component:  Firefox Patch        |    Version:
  Issues                             |   Keywords:  tbb-usability, tbb-
   Resolution:                       |  linkability, MikePerry201408R,
Actual Points:                       |  TorBrowserTeam201408
       Points:                       |  Parent ID:
-------------------------------------+-------------------------------------

Comment (by isis):

 Replying to [comment:33 lunar]:
 > “HTML5 canvas” is a technical concept. Maybe it would be worth giving an
 example of when HTML5 canvas are useful past tracking users?

 Like [https://twitter.com/isislovecruft/status/501114056267141120 these]
 [https://twitter.com/isislovecruft/status/501111201946808321 examples]?

 [[Image()]]

 [[Image()]]

 > I'm thinking of something like: ''Unless this website performs complex
 drawings (e.g. a game), you should not allow it to proceed.''

 So... I was actually being entirely sarcastic when I said that the above
 was a legit use for accessing HTML5 canvas image data. It's not. That
 Glitch Art Generator site just has crap code. There's no reason, as far as
 I can tell, why that site couldn't just upload the image file to the
 server and have the editing happen server-side, or render it to an HTML5
 canvas and have the user edit it locally in the browser.

 '''If there is a legitimate reason that any site anywhere would ever need
 to render an image to an HTML5 canvas and then extract the locally
 rendered image data, I do not know of it.''' Even HTML5 games shouldn't
 need to do this. Lazy webdevs, crap code, and
 [http://www.w3.org/html/wg/drafts/html/master/scripting-1.html#the-canvas-
 element even crappier W3C specifications advocating privacy by policy].

 '''There is one possible exception''', as far as I've seen: Sites such as
 Twitter use HTML5 canvas image data extraction to build profile pages:
 they force you to "upload" your image file by rendering it to a canvas
 locally, then they extract the HTML5 canvas data (which is where the
 actual "uploading" of the image occurs). This is done so that the user can
 drag their photos around while updating their profile page, e.g. rotating,
 resizing, etc. Then the rotated/resized/whatever photo from the canvas
 gets uploaded, rather than the original. '''However "legitimate" and
 "benign" this may seem, it can still be used to fingerprint users''', and
 therefore I would argue that ''it's still crappy code produced by lazy
 webdevs who don't really care about their users' privacy''.

 (Dear Twitter, Github, Etherpad, and that Glitch Art Generator thing
 developers: if you're reading this, sorry for being rude, and please
 pretty please consider fixing your code.)



 > But then, while I'm thinking about it, the current UI might be entirely
 wrong here. HTML5 canvas access should be blocked by default.

 It is! Tor Browser sends a blank (white) image, of static size, by default
 (and thereafter, if the user has clicked the `Never for this site` button
 in the popup).



 > A small warning should be displayed on the top of the page (like when
 NoScript blocks XSS), alongside an “Option” button where access can be
 allowed. “I can see the website does not work as it should, I need allow
 this thing that has been blocked.” And then I don't need to get a deep
 understanding of what “HTML5 canvases” are. But the recent changes are
 already improvements and the latter idea should probably belongs to a
 separate ticket.

 Hmm. I'm not sure I actually understand what you're suggesting. Do you
 mean that the popup should say `I can see this website (example.com) does
 not work as it should...`? Because that would encourage users to ''allow
 HTML5 canvas access'' (which we definitely ''don't'' want them doing!).

 Or perhaps I've misunderstood you? Would you please explain your idea
 more? Perhaps on a new ticket, if you like.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12684#comment:35>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list