[tbb-dev] RFC: WebGL Click-to-Play as a Privacy Protection

Georg Koppen gk at torproject.org
Mon Nov 23 08:00:48 UTC 2020

Matthew Finkel:
> In light of WebGL extensions now being available [0] and other potential
> uses of WebGL for fingerprinting, I'd like to consider restricting
> access to the WebGL API in Tor Browser as a Privacy enhancement, and no
> longer as a Security enhancement.
> One major usability (webcompat) issue I know about when WebGL usage
> requires click-to-play is Google Maps. Are there other popular sites
> that break when click-to-play is enabled that we should consider?

I know that hackerone.com was breaking in a way that's not obvious. That
is when trying to log in nothing happened. One gets no hint and, worse,
there is no way to click on anything to play.

I am skeptical about just making WebGL click-to-play. What we need as
well is making sure that users can in *any* situation actually enable
WebGL and getting some explanation about what is going on and giving
some consent to the trade-off. That's a lot of work for causing
webcompat issues.

I general I think going down the click-to-play route for privacy
protection seems to be the wrong direction as our cpre Tor Browser
feature is providing privacy by design to everyone by default. Suddenly
starting to do click-to-play for privacy features does not look
particular good.

If we are concerned about WebGL extensions and fingerprinting then we
should just add them behind a pref again (maybe the RFP pref even),
which should not be too hard in particular compared with the
click-to-play work. If there are other vectors we are concerned with,
then we should plug them, too.


> Thanks,
> Matt
> [0] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40117
> _______________________________________________
> tbb-dev mailing list
> tbb-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20201123/16475fed/attachment.sig>

More information about the tbb-dev mailing list