Since version 118+, Firefox introduced FPP (Finger Printing Protection) which is in short water downed version of RFP (Resist Finger Printing).
FPP is enabled by default from version 119 onwards if you enable ETP (Enhanced Tracking Protection).
FPP randomizes canvas data subtly than RFP, which is why RFP breaks some sites. So, my question is, if we allow canvas data extraction for a broken site will it fallback to FPP’s subtle canvas randomization, or allowing it will expose canvas data completely if we have ETP enabled?
Relevant link: https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting
Edit: More info about HTML5 canvas fingerprinting https://webbrowsertools.com/canvas-fingerprint/
Ah nah Canvas is used for so much stuff and it’s sometimes way under your radar in stuff you wouldn’t at all expect
For instance
I’ll let you look at the comments to see how they circumvented this
async function generateFacePic(commentData: SnooComment, ppBuffer: HTMLImageElement[], displaySize: number = 50): Promise { const imageSeed = /* a random number */ const imageElement: HTMLImageElement = /* someone's avatar */ // Purpose of copying: A single tag cannot be in multiple spots at the same time // I did not find a way to duplicate the reference to an img tag // If you use Element.appendChild with the same reference multiple times, the method will move the element around // Creating a new tag and copying the attributes would work, but it would fetch the src again // The image at thispersondoesnotexist changes every second so the src points to a new picture now // Since the URL has a parameter and hasn't changed, then most likely, querying the URL again would // hit the browser's cache. but we can't know that. // Solution: make a canvas and give it the single reference. It makes a new one every time. It doesn't query the src. const canv = copyImage2Canvas(imageElement, displaySize); canv.classList.add(`human-${imageSeed}`); return canv; }
I’ve seen canvas being used for github-like random avatars, graphs, logos, to create dynamic previews of images on the page in online shops, …
On the topic of Reddit, trying to submit a video there with Canvas off would result in it being submitted with a glitched thumbnail
That’s a big one, generating thumbnails client-side rather than running an imagemagick instance on the server to re-size pictures on upload
I used it to generate hashes of the pictures as well, once.
Adding watermarks too. There are virtuous watermarks as well, I remember having to code up a transparents watermark over people’s IDs to make sure that when they submitted their renters dossier (it was a real estate renting service), it couldn’t be used to commit identity theft by the homeowner later down the line or re-used for something else.