Prompt before allowing HTML5 Canvas image extraction

[mikeperry]

The HTML5 canvas can be used for fingerprinting WebGL and font rendering as described in ​http://www.w2spconf.com/2012/papers/w2sp12-final4.pdf. The fingerprint technique hinges on the ability for JS to extract image/data urls from the canvas object and hash them and/or compute differences. There's some demonstration code that works for a specific (but currently unknown) ruby version here: ​https://github.com/kmowery/canvas-fingerprinting.

I think the least-effort defense for now is to simply prompt before image extraction, and to allow extraction permissions to be set on a url-bar domain basis if the user has opted to store browser state to disk.

Later, we can think about virtualizing this surface during extraction, but I don't think we'll need to do that unless every site in the world decides to make a lolcat captioning HTML5 widget.

[mikeperry]

I discovered my problems with the the github code: It requires Ruby 1.9, and gem install has poor failure modes for compile errors.

[mikeperry]

The interfaces for getting image data are ​https://developer.mozilla.org/en/DOM/HTMLCanvasElement#Methods and also ​https://developer.mozilla.org/en/DOM/CanvasRenderingContext2D#getImageData%28%29

[mikeperry]

This was fixed by Pearl Crescent with ​https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0021-Add-canvas-image-extraction-prompt.patch.

Note the strings for the prompt actually come from Torbutton:
​https://gitweb.torproject.org/torbutton.git/blob/master:/src/chrome/locale/en/torbutton.properties#l47

The fix should appear in the next TBB-stable release.

[proper]

This is quite confusing. I added the message here so it can found by search engines more easily.

This website (%S) attempted to access
image data on a canvas. Since canvas image
data can be used to discover information about
your computer, blank image data was returned
this time.