GitLab

If we can make unfingerprintable, we could remove the permission prompt. I wanted to capture the discussion on this here.

From long ago, what needed to be fixed to make unfingerprintable:

software rendering

system colors were standardized

and the browser shipped a fixed collection of fonts

I believe we have patches for 2 and 3.

1 is doable (see below).

But the font stuff is still tricky. See #16672 (moved) which is an example of the same OS (but different versions of it) rendering the same font differently.

And #17999 (moved) which is the default GUI font allowing distinguishing the version of the gUI. (That's not specific to canvas but it does probably affect canvas.)

13:48:11 T<tjr> mstange: After talking with the Tor folks, there were three main areas for canvas fingerprinting: fonts (we can partly that), system colors (we can handle that), and software rendering.   
13:48:14 T<tjr> But the font stuff is trickier than I thought at first. While we can whitelist fonts, it turns out the same font is sometimes rendered differently in different versions of the same OS, and that different versions of the same OS can be fingerprinted by the default font chosen. 
13:48:17 T<tjr> We suspect there are other vectors inside canvas, but switching to software rendering would be a big help. Is that easy to do? Tor would consider shipping that in an Alpha.
13:49:45 M<mstange> tjr: interesting!
13:49:59 M<mstange> switching to Skia software is as easy as setting gfx.canvas.azure.backends to "Skia" and gfx.canvas.azure.accelerated to false
13:50:51 M<mstange> for system-setting-dependent font rendering, maybe we can add a way of rendering fonts into canvas that does not respect any system settings
13:51:16 M<mstange> lsalzman: how hard would that be? maybe we could ship some ugly freetype rasterization on all platforms?
13:51:25 L<lsalzman> how hard would what be?
13:51:35 M<mstange> "add a way of rendering fonts into canvas that does not respect any system settings"
13:51:56 L<lsalzman> depends what that means
13:52:04 L<lsalzman> if you mean using freetype on all platforms, that would be insane right now
13:52:09 M<mstange> ok
13:52:10 L<lsalzman> we're not architected for that
13:52:29 L<lsalzman> we have a lot of assumptions built in like, if you're on windows, you're using dwrite, etc.
13:53:13 M<mstange> I'm looking for a way to render fonts that doesn't leak any more bits of entropy than the OS you're on
13:53:14 L<lsalzman> i mean, you can certainly make dwrite rendering ugly and standardized to some degree
13:53:35 L<lsalzman> but forcing things like gamma, contrast, AA, hinting, to known values
13:53:46 L<lsalzman> that's somewhat what Chrome does already ;)
13:53:57 M<mstange> that sounds interesting
13:54:22 L<lsalzman> the gfx.font_rendering.cleartype_params already allow this, i think
13:54:36 L<lsalzman> there may be some cases where they're not properly respected everywhere, though
13:54:58 M<mstange> thanks
13:55:23 M<mstange> tjr: ^ this seems like a good place to start investigating
13:56:40 L<lsalzman> linux settings will be hell because of fontconfig
13:56:47 L<lsalzman> no idea what we're doing as far as prefs on mac
13:57:13 ⇐ pcwalton quit (pcwalton@moz-vhk0rb.hfc.comcastbusiness.net) Client exited
13:57:30 M<mstange> I don't think there are any prefs on mac, other than the 1 bit "allow font smoothing" pref
13:58:01 M<mstange> and now that we know that we can override it with CGContextSetAllowsFontSmoothing, this one shouldn't be a problem either :)
13:59:11 T<tjr> When you say fontconfig, is that taking into account that we are planning to bundle and whitelist what fonts are available to the browser (when privacy.resistFingerprinting is enabled)? 

One idea would be to enable system rendering, do some due diligence on if we can detect anything, and if not, put it in the Alpha and allow bug bounty folks to poke at it.