[tbb-bugs] #18390 [Tor Browser]: PDF.js triggers canvas fingerprinting warning for some PDFs

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Feb 25 01:25:03 UTC 2016

#18390: PDF.js triggers canvas fingerprinting warning for some PDFs
 Reporter:  xcolour      |          Owner:  tbb-team
     Type:  defect       |         Status:  closed
 Priority:  Medium       |      Milestone:
Component:  Tor Browser  |        Version:
 Severity:  Normal       |     Resolution:  not a bug
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
  Sponsor:               |
Changes (by cypherpunks):

 * status:  new => closed
 * resolution:   => not a bug


 Replying to [ticket:18390 xcolour]:
 > It looks like this was fixed in #10570 for the Firefox-local version of
 PDF.js, but (perhaps intentionally) not for PDF.js if it's being served by
 the website.

 Naturally. Tor Project developers can only vouch for the code they ship,
 not whatever any random website pushes to you.

 > Is this a bug in Tor Browser's canvas fingerprinting detection, or is
 what PDF.js is doing simply indistinguishable from a fingerprinting

 It is indistinguishable because fingerprinting is (potentially) what the
 site is doing. Tor Browser cannot guess "intent" so it has to be
 conservative and block access to canvas.

 It's not a bug. Tor Browser is doing what it's supposed to do.

 Now, if the pdf.js guys are willing to workaround it, they could try to
 avoid looking "into" the canvas: no getImageData, no
 to{Blob,Url,File,...}, etc.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18390#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list