privacybadgerfirefox-legacy icon indicating copy to clipboard operation
privacybadgerfirefox-legacy copied to clipboard

Published 20 hours ago verified publisher icon EFForg

Causing canvas access warnings after 1.0 update

Open ghost opened this issue 9 years ago • 7 comments

I have noticed that after Privacy Badger updated to 1.0 the addon CanvasBlocker is reporting many sites accessing the canvas that never did before. I discovered that disabling Privacy Badger makes the warnings stop.

To reproduce:

  1. Enable CanvasBlocker
  2. Visit a page that does no canvas access, such as https://en.wikipedia.org/robots.txt
  3. Observe that CanvasBlocker does not display a warning
  4. Enable Privacy Badger
  5. Visit that same page again
  6. Observe that CanvasBlocker now displays a warning

Is Privacy Badger causing canvas access that is triggering CanvasBlocker?

ghost avatar Aug 06 '15 22:08 ghost

I wonder if this has to do with the code that is checking to see if a third party is accessing the canvas that @ghostwords wrote

SwartzCr avatar Aug 07 '15 00:08 SwartzCr

That's exactly it. We inject a script to check if a site is performing canvas fingerprinting, which is what will trigger this warning.

cooperq avatar Aug 11 '15 20:08 cooperq

I'd suggest reopening this issue as this behaviour should be fixed. I don't know on what addon site this can be fixed better, so I've opened an issue in the repo of the other addon https://github.com/kkapsner/CanvasBlocker/issues/47, but as it is also shown by https://github.com/EFForg/privacybadgerfirefox/issues/538 the Canvas Javascript injection used by Privacy Badger does not seem to be the best way to do this.

rugk avatar Nov 04 '15 18:11 rugk

duplicate of #538

cooperq avatar Nov 04 '15 20:11 cooperq

Do you really think that's an exact duplicate? I mean it has nothing to do with CSP and it's very close related to another add-on, so it is more a kind of incompatibility. So e.g. this issue can also be resolved in https://github.com/kkapsner/CanvasBlocker/issues/47 while https://github.com/EFForg/privacybadgerfirefox/issues/538 is the general issue behind the concept here, whcih should stay open even if this issue here is solved.

rugk avatar Nov 04 '15 22:11 rugk

oops sorry, I was reading to fast it is definitely not a duplicate of #538 but I still don't see how we can fix this, we need to access the canvas object to check for canvas fingerprinting.

cooperq avatar Nov 05 '15 21:11 cooperq

This problem is fixed on the side of CanvasBlocker with v0.2.2.

You need to activate script whitelisting in this addon and add the following JSON snippet:

[{"url": "resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/loader/sandbox.js -> resource://jid1-mnnxcxisbpnsxq-eff-at-jetpack/data/fingerprinting.js"}]

Note that the developer of that addon accepts Pull Requests for adding a incompatibility warning in their addon, which may suggest the exclusion. So if anyone of the PrivacyBadger contributors wants to have a look this I think @kkapsner likes it. Additionally/Alternatively you may also add this to the FAQ of PrivacyBadger or put this information somewhere else so users know they can use the addons together.

rugk avatar Jan 31 '16 10:01 rugk