Investigate Making Canvas Unfingerprintable
If we can make unfingerprintable, we could remove the permission prompt. I wanted to capture the discussion on this here.
From long ago, what needed to be fixed to make unfingerprintable:
system colors were standardized
and the browser shipped a fixed collection of fonts
I believe we have patches for 2 and 3.
1 is doable (see below).
But the font stuff is still tricky. See #16672 (moved) which is an example of the same OS (but different versions of it) rendering the same font differently.
And #17999 (moved) which is the default GUI font allowing distinguishing the version of the gUI. (That's not specific to canvas but it does probably affect canvas.)
13:48:11 T<tjr> mstange: After talking with the Tor folks, there were three main areas for canvas fingerprinting: fonts (we can partly that), system colors (we can handle that), and software rendering. 13:48:14 T<tjr> But the font stuff is trickier than I thought at first. While we can whitelist fonts, it turns out the same font is sometimes rendered differently in different versions of the same OS, and that different versions of the same OS can be fingerprinted by the default font chosen. 13:48:17 T<tjr> We suspect there are other vectors inside canvas, but switching to software rendering would be a big help. Is that easy to do? Tor would consider shipping that in an Alpha. 13:49:45 M<mstange> tjr: interesting! 13:49:59 M<mstange> switching to Skia software is as easy as setting gfx.canvas.azure.backends to "Skia" and gfx.canvas.azure.accelerated to false 13:50:51 M<mstange> for system-setting-dependent font rendering, maybe we can add a way of rendering fonts into canvas that does not respect any system settings 13:51:16 M<mstange> lsalzman: how hard would that be? maybe we could ship some ugly freetype rasterization on all platforms? 13:51:25 L<lsalzman> how hard would what be? 13:51:35 M<mstange> "add a way of rendering fonts into canvas that does not respect any system settings" 13:51:56 L<lsalzman> depends what that means 13:52:04 L<lsalzman> if you mean using freetype on all platforms, that would be insane right now 13:52:09 M<mstange> ok 13:52:10 L<lsalzman> we're not architected for that 13:52:29 L<lsalzman> we have a lot of assumptions built in like, if you're on windows, you're using dwrite, etc. 13:53:13 M<mstange> I'm looking for a way to render fonts that doesn't leak any more bits of entropy than the OS you're on 13:53:14 L<lsalzman> i mean, you can certainly make dwrite rendering ugly and standardized to some degree 13:53:35 L<lsalzman> but forcing things like gamma, contrast, AA, hinting, to known values 13:53:46 L<lsalzman> that's somewhat what Chrome does already ;) 13:53:57 M<mstange> that sounds interesting 13:54:22 L<lsalzman> the gfx.font_rendering.cleartype_params already allow this, i think 13:54:36 L<lsalzman> there may be some cases where they're not properly respected everywhere, though 13:54:58 M<mstange> thanks 13:55:23 M<mstange> tjr: ^ this seems like a good place to start investigating 13:56:40 L<lsalzman> linux settings will be hell because of fontconfig 13:56:47 L<lsalzman> no idea what we're doing as far as prefs on mac 13:57:13 ⇐ pcwalton quit (email@example.com) Client exited 13:57:30 M<mstange> I don't think there are any prefs on mac, other than the 1 bit "allow font smoothing" pref 13:58:01 M<mstange> and now that we know that we can override it with CGContextSetAllowsFontSmoothing, this one shouldn't be a problem either :) 13:59:11 T<tjr> When you say fontconfig, is that taking into account that we are planning to bundle and whitelist what fonts are available to the browser (when privacy.resistFingerprinting is enabled)?
One idea would be to enable system rendering, do some due diligence on if we can detect anything, and if not, put it in the Alpha and allow bug bounty folks to poke at it.