[tbb-dev] Canvas Breakage Ideas

Tom Ritter tom at ritter.vg
Tue Apr 28 04:51:19 UTC 2020

Sanketh is tackling some fingerprinting patches; he's doing great.  We
ran across two questions we wanted input on.
Background: Frequently sites break from the canvas permission prompt
in the following way:
User uploads image
Website tries to display image back to user
Image is white because it rendered the image to a canvas then tries to
read the canvas data


1) Sanketh had the idea of after granting permission, we show an
additional prompt suggesting the user reload the page; since websites
are not built to handle our 'well just try it again, it'l work this
time' change to canvas APIs.


2) In https://bugzilla.mozilla.org/show_bug.cgi?id=1631673 Gijs had
the idea of changing our behavior if the user has uploaded a file,
and using this as a queue to automatically allow canvas extraction.
Specifically he focused on allowing the website to read out the file
the user has just uploaded; and that only.

That would be ideal, but -with no testing and just hypothesizing - I
doubt it would work because some as simple as e.g resizing the image
would cause the match to fail and be dis-allowed.  But we could test

My idea was much simpler: if the user has uploaded a file, we take
that as a queue they trust the service; and then grant the canvas
permission prompt.  (In as tightly as scoped a manner as possible, but
the scoping is really just a bandaid over the problem....)

Sanketh and Simon pointed out that this is dangerous: just because a
user uploaded a file doesn't mean they consented to be fingerprinted.
And they're right; if a user is trying to have an anonymous account or
something similar, uploading a file is not a trusted relationship
permitting fingerprinting.

So the question then is, it seems like given Tor's strict stance, the
only way this could be implemented was if the data read from the
canvas was an exact match on the uploaded data. Is that accurate?  If
so, the next step would be to test these websites, because if they
don't behave that way it's probably not worth implementing this at


More information about the tbb-dev mailing list