You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to be able to disable use of certain canvas APIs, to stop canvas fingerprinting by iframes.
A common situation is to have a sandboxed iframe that contains an ad (or some other untrusted page) that may attempt to track the user. In many cases there's no reason for that ad to be able to get a 2D context, and certainly no reason for it to be able to get a WebGL context.
Canvas fingerprinting comes in two forms: 2D-based, and WebGL-based.
Fingerprinting in 2D contexts could be mitigated by policy while maintaining most "normal" use of canvas, by making the canvas write-only and disabling all methods that can be used read data back out from a canvas or leak data about the user's configuration. Most canvas methods don't leak data per se.
Fingerprinting using WebGL contexts is essentially impossible to mitigate as the API is designed for that purpose, e.g. with many feature flags that declare capabilities of the user's GPU and drivers. The only solution is to disable it entirely.
Therefore I propose a policy with two levels:
A policy to allow canvas but restricted in the following way: only write-only 2d or bitmaprenderer contexts are permitted. The page is prevented from using canvas APIs that leak pixel buffer or device configuration data, but is otherwise still allowed to draw to a canvas.
I would like to be able to disable use of certain canvas APIs, to stop canvas fingerprinting by iframes.
A common situation is to have a sandboxed iframe that contains an ad (or some other untrusted page) that may attempt to track the user. In many cases there's no reason for that ad to be able to get a 2D context, and certainly no reason for it to be able to get a WebGL context.
Canvas fingerprinting comes in two forms: 2D-based, and WebGL-based.
Fingerprinting in 2D contexts could be mitigated by policy while maintaining most "normal" use of canvas, by making the canvas write-only and disabling all methods that can be used read data back out from a canvas or leak data about the user's configuration. Most canvas methods don't leak data per se.
Fingerprinting using WebGL contexts is essentially impossible to mitigate as the API is designed for that purpose, e.g. with many feature flags that declare capabilities of the user's GPU and drivers. The only solution is to disable it entirely.
Therefore I propose a policy with two levels:
A policy to allow canvas but restricted in the following way: only write-only
2dorbitmaprenderercontexts are permitted. The page is prevented from using canvas APIs that leak pixel buffer or device configuration data, but is otherwise still allowed to draw to a canvas.A policy to completely prevent all use of canvas.
Here is an implementation of canvas fingerprinting, for reference.
The text was updated successfully, but these errors were encountered: