Firefox 58 warns you if sites use Canvas image data
Mozilla plans to display permission prompts if websites or services attempt to use HTML5 Canvas Image Data in the Firefox web browser.
Canvas fingerprinting is a byproduct of the HTML5 Canvas technology that all browser makers added to their browsers.
As is the case with many technologies, it can be used for good or bad, and in the case of canvas fingerprinting it is to track users.
While there is no native option available to turn off the Canvas functionality in Firefox, add-ons are available that block sites from using Canvas. These add-ons, CanvasBlocker and Canvas Defender come to mind, display notifications or block requests outright depending on how they are configured.
Mozilla plans to integrate a permissions prompt natively in the Firefox web browser. The new feature is part of efforts to introduce Tor security features or hardening into Firefox.
Firefox displays a permission prompt when you visit a site that uses HTML5 canvas image data. This is the case for GitHub for instance, and also on eBay and many other sites.
The message that Firefox displays is (subject to change):
Will you allow [site] to use your HTML5 canvas image data? This may be used to uniquely identify your computer.
You may allow access or block it, and also use the "always remember my decision" checkbox to enforce the rule on future visits as well.
The feature is live in Firefox Nightly already currently. Please note that it appears incomplete in the browser version. While you do get a prompt to allow or deny site access to HTML5 canvas, options to manage permissions appears to be missing right now.
When you click on the informational icon -- the i -- next to the address for instance, permissions does not reflect the choice that you have made.
The permissions preferences in the Firefox options furthermore don't list canvas as a permission that you can control there.
It would be nice if Canvas can just be fixed to not allow fingerprinting.
I agree. But they are unable to keep it simple. They must put some roadblock, always.
Hi, I’m an engineer and I know what I’m talking about
Which means we’ll still have use one of the extensions up above for that
Neat. One more protection for me, since I didn’t want to install an add-on just for that considering I already have NoScript to drastically reduce exposure.
I’m not seeing the new prompt in Nightly yet, maybe when I get the next update. Glad to see that they are making some progress on canvas fingerprinting. In version 57 resource URI leaks were taken care of and now with Mozilla continuing the work on reducing fingerprinting it’s kind of getting to be a big deal in my opinion, the privacy improvements.
Actually, I’m not 100% convinced, based on the websites that I visit, that canvas image data is worth ‘me’ being concerned about. Just saying, I haven’t completely made up my mind. I’ve been using Canvas Defender for a few months now and it has a popup warning about possible fingerprinting on maybe 12 websites out of many dozens that I regularly visit, on most websites I don’t see a warning. Canvas Defender doesn’t block the canvas image data it uses a random canvas noise hash instead. ‘Blocking’ the data does break more websites, which I was able to see when I used a command line switch (–disable-reading-from-canvas) in Chrome. Anyway, it seems like more than half of the websites that I saw a warning on had to be whitelisted because some type of functionality was broken on the site. One weird thing is using Canvas Defender in Chromium browsers I only had to whitelist 3 websites instead of the 8 that I had to whitelist in FF. API differences or about:config edits? Who knows.
Current Canvas Defender whitelist:
That is strange I’ve been seeing the prompt for over a week in Nightly but because there was no management options I could find I have just been ignoring it for the moment, if you are using Canvas Defender in Fx, could that be why you aren’t seeing the door message as per the screenshot?
I had disabled Canvas Defender and Tracking Protection. Maybe… it’s like Martin mentions in a comment and “privacy.resistFingerprinting” needs to be set to true and I do not use “privacy.resistFingerprinting”. Because of my monitor size I don’t use a maximized browser window and I couldn’t get the size dialed in like I wanted, so I’ve been using most of the individual about:config edits instead of setting privacy.resistFingerprinting to true since v55 I think. There is a webextension that Pants mentioned called Window Resizer but I haven’t tried it yet, I’m actually trying to keep the number of extensions that I use down, Nightly is using 9, and I got FF down to 14 from 20.
Some good FF news for a change. I’m mostly getting Canvas Defender warnings on pages with Disqus, and lately on Facebook.
Martin, is there an about:config entry to disable this annoyance?
Someone on Bugzilla mentioned that privacy.resistFingerprinting needs to be enabled for this.
It’s disabled by default
A few weeks ago I installed an add-on called “Canvas Defender” to Firefox. I liked the way it provided warnings about fingerprinting on certain websites I visit regularly.
A few days after installing the add-on, I went to online to a commercial website to pay one of my regular monthly bills, and everything seemed fine – no warnings about canvas fingerprinting.
However, when I tried to select certain options during the normal bill-pay process, my selections were not being seen and I kept getting kicked back to the “Please make a selection” menu over and over again.
I wasted time on the phone with customer service – getting the normal CSR script about cleaning my cache, etc. – but nothing worked.
Finally, I remembered the recently-installed “Canvas Defender” add-on and disabled it in the the FF add-on menu.
I then went back to the commercial site – went back to the bill-pay area- and everything was back to normal and it went through without a hitch.
I’m just wondering if this new feature could cause similar problems on other websites in the future.
At this point, I still have the add-on set to disabled, for now,
“I’m just wondering if this new feature could cause similar problems on other websites in the future.”
I suspect that it will. One saving grace is that you have to choose “Don’t Allow” on each specific website but still, if you don’t notice broken functionality until a later visit will the user remember that permission being set? Or what happens when a website is optimized, redesigned or whatever in the future?
A few days ago I tried ordering a pizza online using Nightly and it would not work because Canvas Defender was enabled, there was no popup warning about possible fingerprinting. I have almost always used Pale Moon (no webextensions) when ordering anything online because that’s where most of my passwords are but then I also tried ordering that same pizza in FF v56 with the webext enabled and it worked fine. WTH?
I’m guessing that right now, in Firefox and Nightly, I have more sites whitelisted than are being actively blocked with bogus canvas image data. I have a list in a different comment, I think YouTube was on there so that I could enable the old format which I think works better with Magic Actions for YouTube (player sizes), also had to temp disable uBO to get the old format.
Hopefully Mozilla will do something like the about:config entry “full-screen-api.warning.timeout” so that the popup time can be modified or eliminated.
Canvas Defender works differently. https://www.ghacks.net/2017/10/28/firefox-58-warns-you-if-sites-use-canvas-image-data/#comment-4262579
Some extensions break payment sites as I have troubles making payments with Paypal and Cleverbridge. A way to get around this is to restart your browser in safe mode with all extensions disabled. Make your transaction and then restart your browser.
I usually run Ccleaner or BleachBit to clean out the cache after this and then generate new noise with Canvass Defender.
This is for security Purposes.
Yeah! I guess security and privacy don’t mix.
Canvas wasn’t intended for tracking. Neither was images. But bad people do bad things. Good thing that they detect these things now.
Canvas Defender is garbage, contrary to the name, use Canvas Blocker, it can fake readouts etc so it doesn’t break stuff, blocking canvas period can break stuff.
Unfortunately Canvas Blocker was causing some webpages to take a long time to load. Had to uninstall it and then suddenly no problem.