[tor-bugs] #13021 [Tor Browser]: Review Canvas APIs for fingerprintability
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Sep 4 00:56:26 UTC 2014
#13021: Review Canvas APIs for fingerprintability
-------------------------+-------------------------------------------------
Reporter: | Owner: brade
mikeperry | Status: assigned
Type: task | Milestone:
Priority: major | Version:
Component: Tor | Keywords: ff31-esr, tbb-fingerprinting,
Browser | TorBrowserTeam201409
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by gacar):
I checked https://bugzilla.mozilla.org/show_bug.cgi?id=884226: This brings
a new canvas context property (`willReadFrequently`) that enables reading
from a software backend instead of a hardware "accelerated" one, which
turns out to be super-slow for some cases.
So, canvas reads may get faster, but no fingerprinting risks that I can
see.
Also interesting is [https://bugzilla.mozilla.org/show_bug.cgi?id=962517
#962517] which brings a chrome only HW-acceleration-disabled canvas and
explains the HW backend problem better in the context of FFOS.
`HitRegions` are about defining clickable regions in canvas, similar to
image-maps for <img> elements (e.g. using <area> & <map>). Although one
may potentially exploit the pixel-level differences in region boundaries
(similar to `isPointInPath` method
[https://web.archive.org/web/20140513130550/http://ct1.addthis.com/static/r07/core130.js
AddThis was using]) it requires user interaction (click or hover) and
doesn't look like a reliable fingerprinting vector.
Also there's a switch `canvas.hitregions.enabled`, and it is disabled by
default in ESR31.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13021#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list