Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#6253 closed defect (fixed)

Prompt before allowing HTML5 Canvas image extraction

Reported by: mikeperry Owned by: mikeperry
Priority: High Milestone:
Component: Firefox Patch Issues Version:
Severity: Keywords: tbb-fingerprinting, interview
Cc: gk, adrelanos@… Actual Points: 8
Parent ID: Points:


The HTML5 canvas can be used for fingerprinting WebGL and font rendering as described in The fingerprint technique hinges on the ability for JS to extract image/data urls from the canvas object and hash them and/or compute differences. There's some demonstration code that works for a specific (but currently unknown) ruby version here:

I think the least-effort defense for now is to simply prompt before image extraction, and to allow extraction permissions to be set on a url-bar domain basis if the user has opted to store browser state to disk.

Later, we can think about virtualizing this surface during extraction, but I don't think we'll need to do that unless every site in the world decides to make a lolcat captioning HTML5 widget.

Child Tickets

Change History (5)

comment:1 Changed 3 years ago by mikeperry

I discovered my problems with the the github code: It requires Ruby 1.9, and gem install has poor failure modes for compile errors.

comment:3 Changed 3 years ago by mikeperry

  • Keywords interview added

comment:4 Changed 3 years ago by mikeperry

  • Actual Points set to 8
  • Resolution set to fixed
  • Status changed from new to closed

comment:5 Changed 3 years ago by proper

  • Cc adrelanos@… added

This is quite confusing. I added the message here so it can found by search engines more easily.

This website (%S) attempted to access
image data on a canvas. Since canvas image
data can be used to discover information about
your computer, blank image data was returned
this time.
Note: See TracTickets for help on using tickets.