Opened 4 years ago

Last modified 3 years ago

#12682 new enhancement

Tor Browser's HTML5 canvas fingerprinting dialogue could use a "Revoke" button

Reported by: isis Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-usability, tbb-linkability, tbb-firefox-patch
Cc: isis, mikeperry, gk, brade, mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Currently when a website tries to access an HTML5 canvas, Tor Browser displays a little XUL dialogue near the URL bar which asks if you would like to give permission for that site to access the canvas. The options are "Allow in the Future", "Never Allow", and "Not Now". To see an example, just go look at someone's Github profile or view one of Riseup's Etherpads.

The problem is that after users pick one of these choices, the permission is stored via the NSIPermissionsManager and is only accessible to an end user by going to about:permissions. There really should be an easier way to access this, and at the very least, users should be able to easily revoke permissions later.

Child Tickets

TicketTypeStatusOwnerSummary
#18103defectclosedtbb-teamCanvas Warning Disappears Without Input

Change History (7)

comment:1 Changed 4 years ago by erinn

Component: Firefox Patch IssuesTor Browser
Keywords: tbb-firefox-patch added
Owner: changed from mikeperry to tbb-team

comment:2 Changed 3 years ago by harmony

In the course of resolving a help desk ticket in which the user claimed to have permanently disabled this warning across TB sessions, I tried to use about:permissions to view/change the stored preference, but nothing showed up. I advised the user to reinstall Tor Browser, but I don't know whether there is a more efficient way of doing this.

comment:3 in reply to:  2 ; Changed 3 years ago by isis

Replying to harmony:

In the course of resolving a help desk ticket in which the user claimed to have permanently disabled this warning across TB sessions, I tried to use about:permissions to view/change the stored preference, but nothing showed up. I advised the user to reinstall Tor Browser, but I don't know whether there is a more efficient way of doing this.


I forgot this ticket already existed — thanks for finding it, harmony!

The user should only need to restart Tor Browser to reset all canvas permissions. If a complete reinstall is needed, then that would likely be another bug (because it would mean that Tor Button is not properly clearing all browser state when "New Identity" is selected and/or when the browser is restarted).

comment:4 Changed 3 years ago by isis

Harmony also discovered that the about:permissions page no longer contains permissions for the canvas. I just checked it, and it does appears to only have the stock Firefox permissions.

comment:5 in reply to:  3 Changed 3 years ago by isis

Replying to isis:

Replying to harmony:
I advised the user to reinstall Tor Browser, but I don't know whether there is a more efficient way of doing this.

The user should only need to restart Tor Browser to reset all canvas permissions.


Just tested in stock tor-browser-4.5-alpha-4: "New Identity" and restarting the browser (by clicking the X and then starting it again) both remove any canvas permissions which had been previously saved (even if the user selected "Never for this site" in the dropdown canvas permission menu).

comment:6 Changed 3 years ago by mcs

Cc: brade mcs added

If I enable browser history storage via Torbutton's Privacy and Security Settings window, about:permission does show the site. However, there is no canvas-specific UI in about:permissions. Clicking the "Forget About This Site" button does clear the canvas setting. Adding a new section to about:permissions would make this process more friendly.

comment:7 Changed 3 years ago by bugzilla

Keywords: tbb-linkability added; tbb-linkabillity removed
Severity: Normal
Note: See TracTickets for help on using tickets.