OK, there’s an issue I raised upstream at mozilla (and logged downstream at bugzilla gitlab) a while ago - when you allow a site exception for canvas (RFP), then FPP’s canvas kicks in (because we’re in Private Browsing Mode), which is not desirable behavior.
FPP is Firefox’s fingerprint protection, and it’s canvas protection is to subtly randomize (visually you shouldn’t be able to tell)
This was fixed upstream in 1896175 - With RFP, a granted Canvas Permission still applies FPP's randomization - and backported to ESR128 and Tor Browser now has that patch
The problem is, it only works for getImageData, whilst toBlob and toDataURL still get FPP’s subtle randomizing
If you read the bugzilla, this was pointed out 5 months ago when it was “patched” … and here we are still 5 months later - 1918690 - Extend canvas randomization permission test. IDK why they can’t build a test that is 100% reliable to show the failure/success - but to be fair, upstream has a lot of parameters to deal with from RFP and FPP, to RFPTargets, granularity, exempted domains, and the canvas site exception.
So, long story short … it’s a bug, but doesn’t “hurt” you (entropy/fingerprinting or compat) and shows on browserleaks because that test uses toDataURL