[tbb-dev] Canvas Breakage Ideas

Sanketh Menda sgmenda at uwaterloo.ca
Tue Apr 28 16:55:59 UTC 2020 

Hello,

--[ With regard to (1)

Created <https://bugzilla.mozilla.org/show_bug.cgi?id=1633813>.

--[ With regard to (2)

My beef was with allowing canvas extraction without prompt if the user had
uploaded a file (as suggested here
<https://bugzilla.mozilla.org/show_bug.cgi?id=1631673#c10>.) I am totally cool
with showing a prompt if the user had uploaded a file to the website. tl;dr: I
agree with Tom that uploading a file indicates trust but we seem to disagree on
the specifics.

I think canvas prompting is compatible with Tor. At worst, the user is shown a
prompt for every website they upload a file to, which I think is a small number.
At best, this makes a lot of websites more usable (with the user expressly
consenting to be fingerprinted.)

If we want to go down the route of only allowing extraction of user input, it
might be, as Tom already hinted, technically challenging. We cannot just store a
hash of the input, we would probably need to do something fancy like uncompress
it and store a fuzzy hash of that.

Best,
Sanketh

?On 2020-04-28, 12:51 AM, "Tom Ritter" <tom at ritter.vg> wrote:

    Sanketh is tackling some fingerprinting patches; he's doing great.  We
    ran across two questions we wanted input on.
    Background: Frequently sites break from the canvas permission prompt
    in the following way:
    User uploads image
    Website tries to display image back to user
    Image is white because it rendered the image to a canvas then tries to
    read the canvas data

    Examples:
    https://bugzilla.mozilla.org/show_bug.cgi?id=1631673
    https://bugzilla.mozilla.org/show_bug.cgi?id=1456378
    https://bugzilla.mozilla.org/show_bug.cgi?id=1573834

    1) Sanketh had the idea of after granting permission, we show an
    additional prompt suggesting the user reload the page; since websites
    are not built to handle our 'well just try it again, it'l work this
    time' change to canvas APIs.

    Thoughts?

    2) In https://bugzilla.mozilla.org/show_bug.cgi?id=1631673 Gijs had
    the idea of changing our behavior if the user has uploaded a file,
    and using this as a queue to automatically allow canvas extraction.
    Specifically he focused on allowing the website to read out the file
    the user has just uploaded; and that only.

    That would be ideal, but -with no testing and just hypothesizing - I
    doubt it would work because some as simple as e.g resizing the image
    would cause the match to fail and be dis-allowed.  But we could test
    this.

    My idea was much simpler: if the user has uploaded a file, we take
    that as a queue they trust the service; and then grant the canvas
    permission prompt.  (In as tightly as scoped a manner as possible, but
    the scoping is really just a bandaid over the problem....)

    Sanketh and Simon pointed out that this is dangerous: just because a
    user uploaded a file doesn't mean they consented to be fingerprinted.
    And they're right; if a user is trying to have an anonymous account or
    something similar, uploading a file is not a trusted relationship
    permitting fingerprinting.

    So the question then is, it seems like given Tor's strict stance, the
    only way this could be implemented was if the data read from the
    canvas was an exact match on the uploaded data. Is that accurate?  If
    so, the next step would be to test these websites, because if they
    don't behave that way it's probably not worth implementing this at
    all.

    -tom

More information about the tbb-dev mailing list