1. 52

  2. 22

    Also probably interesting to most folks here: First Party Isolation.

    In which Firefox double-keys storage (e.g., Cookies) with the embedding site. E.g., that facebook.com will have a different storage bin depending on whether it’s your top level website or embedded on http://foo.example or http://bar.example.

    First Party Isolation can be enabled only in Firefox 58 or newer. You can either set a flag or use my First Party Isolation extension. The add-on just adds a handy enable/disable button - in case the feature breaks some important website of yours

    1. 6

      I’m curious as to why some drawing commands are nondeterministic across machines, even running the same software.

      1. 5

        I surveyed some finger printing algorithms a few months ago and I learned that the fingerprinting algorithms gather information about your machine and browser capabilities: the OS, the screen resolution, the screen size, the font list, and machine specifications (3d extensions, graphics accelerations, etc.). WebGL would be especially rich for exposing this information. Drawing to a canvas could be a way to sniff some of these capabilities out even if they the browser is not letting 3rd party JS know about them. This is all conjecture but seems likely.

      2. 6

        Here’s the research paper if you’re interested in how canvas fingerprinting works: http://www.w2spconf.com/2012/papers/w2sp12-final4.pdf

        1. 1

          starting with version 58 Firefox will block attempts to fingerprint users using the HTML5 canvas element.


          Canvas fingerprinting works by loading a canvas HTML tag inside a hidden iframe and making the user’s browser draw a series of elements and texts. The resulting image is converted into a file hash.

          Interesting. I wonder if Chrome will follow suit.

          The only downside is that it presents users with a popup. If the answer defaults to “disallow canvas”, a lot of sites using canvas will fail pretty much automatically, as people click the popup out of sheer habit, and if the answer defaults to “allow canvas”, the security fails.

          1. 4

            Disallow reading from canvas, which is not used by most legitimate usages of canvas. I think they might even soft fail, i.e. return a blank single color image.

            1. 2

              This is a pretty common thing to do if you’re doing things like an online image editor. Or (for example) if you want to do a “Share” button in your game, you could take a screenshot and use that image in the post.

              It would make total sense to have the popup ask “This site is trying to screenshot your window”-style things.

              1. 1

                Disallow reading from canvas, which is not used by most legitimate usages of canvas.

                Interesting. I didn’t know that.