Is "New identity" enough to protect me as I never allow extract canvas data?

5Oj0mZDRarEO · February 15, 2025, 3:48pm

Is “New identity” enough to protect me as I never allow extract canvas data?
Test URL: Canvas Fingerprinting - BrowserLeaks
When I allow browserleaks.com extract canvas data, every “New identity” make me get a new Signature.
Also I wonder what is happen.

thorin · February 15, 2025, 10:10pm

Canvas is randomized per execution so every time you test you get a different result, regardless of identity.

When you allow a site to “use your canvas image”, then the test will not be randomized and will be whatever the test is testing. This site exception is for the session only. A new Identity is a new session - i.e Tor Browser closes, sanitizes, and starts anew (your site exception is no more).

5Oj0mZDRarEO · February 16, 2025, 9:05pm

Sorry for unclear, I mean every “New identity + allow extract canvas data” get a new unique canvas “signature”.
Seems canvas data still randomized when I allow extract canvas data?
Step by step reproduce:

open https://browserleaks.com/canvas and allow use canvas data and reload the test page(you get a unique signature).
Reset identity by the New identity feature.
repeat the step 1(you get another unique signature).

thorin · February 16, 2025, 11:12pm

OK, there’s an issue I raised upstream at mozilla (and logged downstream at ~~bugzilla~~ gitlab) a while ago - when you allow a site exception for canvas (RFP), then FPP’s canvas kicks in (because we’re in Private Browsing Mode), which is not desirable behavior.

FPP is Firefox’s fingerprint protection, and it’s canvas protection is to subtly randomize (visually you shouldn’t be able to tell)

This was fixed upstream in 1896175 - With RFP, a granted Canvas Permission still applies FPP's randomization - and backported to ESR128 and Tor Browser now has that patch

The problem is, it only works for getImageData, whilst toBlob and toDataURL still get FPP’s subtle randomizing

If you read the bugzilla, this was pointed out 5 months ago when it was “patched” … and here we are still 5 months later - 1918690 - Extend canvas randomization permission test. IDK why they can’t build a test that is 100% reliable to show the failure/success - but to be fair, upstream has a lot of parameters to deal with from RFP and FPP, to RFPTargets, granularity, exempted domains, and the canvas site exception.

So, long story short … it’s a bug, but doesn’t “hurt” you (entropy/fingerprinting or compat) and shows on browserleaks because that test uses toDataURL

5Oj0mZDRarEO · February 18, 2025, 10:07am

Should we allow user to choice if enable such “subtly randomize” protection?
Is the “subtly randomize” enough to protect me as I never allow extract canvas data?
Also I suppose you mean I should not depend on such “subtly randomize protection” because this a bug and may be fixed(disabled) in future.

thorin · February 18, 2025, 10:38am

No. The expectation is if you allow canvas then you allow it. There shouldn’t be a second layer of complexity/permissions.