[tbb-bugs] #18390 [Tor Browser]: PDF.js triggers canvas fingerprinting warning for some PDFs

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Mar 2 00:58:54 UTC 2016

#18390: PDF.js triggers canvas fingerprinting warning for some PDFs
 Reporter:  xcolour      |          Owner:  tbb-team
     Type:  defect       |         Status:  closed
 Priority:  Medium       |      Milestone:
Component:  Tor Browser  |        Version:
 Severity:  Normal       |     Resolution:  not a bug
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
  Sponsor:               |

Comment (by xcolour):

 Thanks for the feedback!

 For our site, we're investigating whether there's a good way to use native
 pdf-viewing functionality by default, and only falling back on site-hosted
 pdf.js if there isn't a native option.

 The iframe idea is definitely interesting, but I'm not sure I understand
 your point about privilege escalation. Tor browser already trusts built-in
 pdf.js (as of #10570). Are you suggesting that was a mistake or something

 The pdf.js team has also been pretty receptive to working around their use
 of getImageData et al., but it doesn't look like it's going to be
 completely straightforward since they use it in a few different places.

 Finally, I got a chance to dig into the Tor browser code that's triggering
 the canvas warning. It's a far simpler check than I thought, and I think
 it's clear that Tor browser is doing the right thing here, so the onus is
 definitely on us.

 Thanks again!

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18390#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list