Summary: When Resist Fingerprinting is enabled, we display a permission prompt when a website tries to access the rendered canvas data. This is because canvas rendering is a popular fingerprinting and tracking vector on the web.
However, some uses of this technique are not actually malicious - they're doing feature detection (emoji suppot may be the most popular instance of this.) This has actually hit even us: we throw the prompt on blog.mozilla.org https://bugzilla.mozilla.org/show_bug.cgi?id=1413182 The people behind this emoji detecting this is Wordpress, and they agree: this prompt is annoying. They would like to not show it (and assume emoji support is missing.) But they don't have a way to ask "Hey, will the browser let me read canvas pixel data?" This proposal is that. Add a permission 'canvas-imagedata' that will return 'granted' when Resist Fingerprinting mode is disabled, and 'prompt' when RP is enabled and appropriate. Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1429519 Link to standard: It's been discussed here: https://github.com/w3c/permissions/issues/165 Platform coverage: All platforms Estimated or target release: TBD Preference behind which this will be implemented: Unless requested, there won't be a pref to disable this entirely, but it will always return 'granted' unless privacy.resistFingerprinting is enabled. Is this feature enabled by default in sandboxed iframes? Yes. In general, I think nested permissions are a bad idea, and we should block them, but that's a whole different discussion. See https://bugzilla.mozilla.org/show_bug.cgi?id=1414164 Do other browser engines implement this? No; no other browser does anti-fingerprinting, so they would not need to implement this. Brave could I suppose. Tests - We'll write some, including WPT. In general, work on Canvas is progress on several fronts. We would indeed like to neuter Canvas fingerprinting entirely, and are investigating that over in https://trac.torproject.org/projects/tor/ticket/24521 -tom _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
