[tbb-bugs] #18390 [Tor Browser]: PDF.js triggers canvas fingerprinting warning for some PDFs
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Mar 2 00:58:54 UTC 2016
#18390: PDF.js triggers canvas fingerprinting warning for some PDFs
-------------------------+---------------------------
Reporter: xcolour | Owner: tbb-team
Type: defect | Status: closed
Priority: Medium | Milestone:
Component: Tor Browser | Version:
Severity: Normal | Resolution: not a bug
Keywords: | Actual Points:
Parent ID: | Points:
Sponsor: |
-------------------------+---------------------------
Comment (by xcolour):
Thanks for the feedback!
For our site, we're investigating whether there's a good way to use native
pdf-viewing functionality by default, and only falling back on site-hosted
pdf.js if there isn't a native option.
The iframe idea is definitely interesting, but I'm not sure I understand
your point about privilege escalation. Tor browser already trusts built-in
pdf.js (as of #10570). Are you suggesting that was a mistake or something
else?
The pdf.js team has also been pretty receptive to working around their use
of getImageData et al., but it doesn't look like it's going to be
completely straightforward since they use it in a few different places.
Finally, I got a chance to dig into the Tor browser code that's triggering
the canvas warning. It's a far simpler check than I thought, and I think
it's clear that Tor browser is doing the right thing here, so the onus is
definitely on us.
Thanks again!
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18390#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list