whotracks.me icon indicating copy to clipboard operation
whotracks.me copied to clipboard

Published 20 hours ago verified publisher icon whotracksme

Canvas fingerprinting warning.

Open konark-cliqz opened this issue 7 years ago • 2 comments

When whotracks.me is opened with privacy.resistFingerprinting or in Tor browser (with JS allowed), it throws a warning related to canvas fingerprinting.

cliqz-warning

tor-warning

konark-cliqz avatar Feb 22 '18 09:02 konark-cliqz

@konark-cliqz We use the html canvas to generate the tag cloud on a tracker's profile, which is the only kind of page you will get the warning in. Everything is done on the client, I can't see any privacy implications of this. Here's the implementation: https://github.com/cliqz-oss/whotracks.me/blob/master/templates/components/tag_cloud.html

I'm afraid there is not much we can do here except exploring different ways for generating something similar to what we have. Temporarily leaving the issue open for suggestions or PRs.

ecnmst avatar Feb 26 '18 13:02 ecnmst

Just for reference, according to https://github.com/mozilla/pdf.js/issues/7026 this gets triggered when one of these canvas APIs get used (potentially allowing fingerprinting):

  • getImageData
  • isPointInPath
  • isPointInStroke
  • toBlob
  • toDataURL
  • mozFetchAsStream
  • mozGetAsFile

It seems there is usage in d3.layout.cloud.js and plotly.js, not sure how feasible/worth is it to avoid using these functions.

acatarineu avatar Mar 19 '18 09:03 acatarineu