[tor-commits] [tor-browser-spec/master] Bug 40003: Document the Canvas Breakage Ideas conversation from [tbb-dev]

gk at torproject.org gk at torproject.org
Thu Sep 3 08:06:35 UTC 2020 

commit 1b265d8711626b6511e8ce4a3300360d873d8da7
Author: Sanketh Menda <sanketh at c1own.com>
Date:   Mon Aug 17 16:15:16 2020 -0400

    Bug 40003: Document the Canvas Breakage Ideas conversation from [tbb-dev]
---
 .../xxx-canvas-tainting-for-fp-resistance.txt      | 134 +++++++++++++++++++++
 1 file changed, 134 insertions(+)

diff --git a/proposals/ideas/xxx-canvas-tainting-for-fp-resistance.txt b/proposals/ideas/xxx-canvas-tainting-for-fp-resistance.txt
new file mode 100644
index 0000000..0c4fd17
--- /dev/null
+++ b/proposals/ideas/xxx-canvas-tainting-for-fp-resistance.txt
@@ -0,0 +1,134 @@
+Filename: xxx-canvas-tainting-for-fp-resistance.txt
+Title: Canvas Tainting for Fingerprinting Resistance
+Authors: David Fifield, Matthew Finkel, Sanketh Menda, and Tom Ritter
+Created: 21-Aug-2020
+Status: Draft
+
+1. Motivation
+
+  Canvas permissions currently break the following workflow:
+    1. user uploads image
+    2. website tries to display the image back to the user
+    3. this image is white or noise (if canvas fuzzing is enabled.)
+
+  Here are some instances of this breakage:
+    1. Uploading images to WhatsApp Web:
+    https://bugzilla.mozilla.org/show_bug.cgi?id=1631673
+    2. Image cropping in Expensify:
+    https://bugzilla.mozilla.org/show_bug.cgi?id=1456378
+    3. Uploading images to Craigslist:
+    https://bugzilla.mozilla.org/show_bug.cgi?id=1573834
+
+  This workflow does not seem to be invading the user's privacy so it would be
+  nice to support it. Currently, to unbreak this functionality, the user has to
+  give full canvas permissions which may be abused by websites.
+
+  This proposal specifies an approach towards allowing some use of the canvas
+  without sacrificing privacy.
+
+2. Proposal
+
+2.1 The Key Idea
+
+  Keep track of whether the canvas is safe (in terms of fingerprintability) to
+  extract or not, and allow extractions if it is safe.
+
+  This idea was first proposed by Gijs Kruitbosch [0] in analogy to canvas
+  tainting used to prevent cross-origin image loading [1].
+
+2.2 Canvas Tainting for Fingerprinting Resistance
+
+  We attach a state variable `isFPSafe` to the canvas, define three classes
+  of operations: safe, unsafe, and extraction, and when the canvas is
+  manipulated, we perform the following depending on whether the operation is
+  safe or not.
+
+  ```
+  if (safe operation) pass;
+  elif (unsafe operation) isFPSafe = false;
+  elif (extraction operation) {
+    if (isFPSafe) extract;
+    else return placeholder;
+  }
+  ```
+
+  See the canvas element section of the HTML spec [2] for details on canvas
+  operations.
+
+2.2.1 Safe Operations
+
+  - `canvas.getContext`: returns the canvas object
+  - `canvas.drawImage` for user uploaded images: draws the given image onto the
+    canvas
+
+  We hypothesize that allowing these operations unbreaks the aforementioned
+  workflow (see Research Question 1) and is safe (see Research Question 2).
+
+  These operations are also probably safe:
+    - `canvas.getContextAttributes`
+
+2.2.2 Unsafe Operations
+
+  All operations that have not been classified as safe (i.e., not listed in
+  Section 2.2.1) are considered unsafe.
+
+2.2.3 Extraction Operations
+
+  - .toDataURL`: returns a dataURL of the canvas
+  - `canvas.toBlob`: returns a blob of the canvas
+
+3. Concerns
+
+3.1 Scaling inside drawImage
+
+  The specification [3] does not specify how to scale images, so the scaling
+  algorithm may be implementation dependent and is a possible fingerprinting
+  vector.
+
+3.2 Image format encoding
+
+  The specification [4] does not specify how to do image format encoding so it
+  may be implementation dependent and is a possible fingerprinting vector.
+
+  Gómez-Boix, Laperdrix, and Baudry [3, p.314] noticed that compressing a canvas
+  to an image format adds entropy. However, in the case of user uploaded images,
+  this might be less of an issue (see Research Question 3.)
+
+3.2.1 `quality` levels
+
+  `quality` levels add another layer of uncertainty to image format encoding as
+  they are not standardized [4].
+
+3.2.1 Wide-gamut colors
+
+  This does not seem to be in the HTML standard yet but it seems like WebKit and
+  Chrome already support it so it is worth looking into (see Research Question
+  3).
+
+  WebKit: https://github.com/whatwg/html/issues/299
+  Chrome: https://github.com/whatwg/html/issues/4167
+
+4. Research
+
+  We would like to perform experiments to answer the following questions.
+    1. Does this approach unbreak the motivating workflow?
+    2. Are "safe operations" (the ones listed in 2.2.1) safe against
+    fingerprinting attacks?
+    3. How bad are issues mentioned in the concerns?
+
+5. Acknowledgements
+
+  We thank Alex Catarineu and Gijs Kruitbosch for insightful conversations,
+  and Georg Koppen for valuable comments on drafts of this document.
+
+6. References
+
+[0]: https://bugzilla.mozilla.org/show_bug.cgi?id=1631673#c8
+[1]: https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image
+[2]: https://html.spec.whatwg.org/multipage/canvas.html
+[3]: https://html.spec.whatwg.org/multipage/canvas.html#drawing-images
+[4]:
+https://html.spec.whatwg.org/multipage/canvas.html#serialising-bitmaps-to-a-file
+[5]: Hiding in the Crowd: an Analysis of the Effectiveness of Browser
+Fingerprinting at Large Scale. Gómez-Boix, Laperdrix, and Baudry. WWW '18.
+https://doi.org/10.1145/3178876.3186097

More information about the tor-commits mailing list