Pale Moon forum

gHacks published recently an interesting article on How companies use Canvas Fingerprinting to track you online ( http://www.ghacks.net/2014/07/21/companies-use-canvas-fingerprinting-track-online/ ).

HTML5 Canvas is not in itself a bad thing, sometimes it is required but, as cookies, it is abused by certain domains to make it contribute to plain fingerprinting, that is tracking.

After having read that article I thought this practice was that of very few domains, and as I left that problematic aside.

Now, I've discovered a new add-on working nicely on Pale Moon 24.7.1 which is CanvasBlocker at https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/
And now, a real surprise to discover the number of domains which actually use this HTML5 Canvas for fingerprinting. Amazing. Among my bookmarks, at this time perhaps around 10%

One can test the browser's Canvas support on http://www.browserleaks.com/canvas
With CanvasBlocker installed and enabled on a per-site basis, HTML5 Canvas Fingerprinting is forbidden for that site. The add-on handles white and black lists.
Enabled for the test site on Browserleaks.com, here is what appears, with my notice on the right :
It works, so I'll share this info for whom may be interested.

Did know already about canvas, but not about this add-on. Good info. Merci.

It's also blocked by having javascript blocked with NoScript. Not sure if I would ever want to block canvas fingerprinting on sites where I enable JS. And 3rd party sites are blocked by RequestPolicy so I think I'm OK on this. But I'll try to remember it's there if I need it.

Does anyone know if it is blocked by any of the adblock plus filter subscriptions? It is a javascript code anyway.

mikeysc wrote:It's also blocked by having javascript blocked with NoScript. Not sure if I would ever want to block canvas fingerprinting on sites where I enable JS. And 3rd party sites are blocked by RequestPolicy so I think I'm OK on this. But I'll try to remember it's there if I need it.

I use RequestPolicy as well. The point is it is the destination site/domain which may use Canvas fingerprinting. Also, blocking javascript on a wide scale is problematic unless you use NoScript, of course, and still, if you allow a site for javascript you'll have Canvas included.

Examples :

browserleaks.com (normal, it's a testing site),i24news.tv,shoutcast.com,msn.com,audionetwork.com,di.fm,panoramio.com,filemail.com,cnet.com,businessinsider.com,protonmail.ch,abc11.com,nytimes.com,nextinpact.com,site24x7.com (...)

All these sites use Canvas when it is not at all required for display, hence Canvas on those sites are nothing but fingerprinting.

Jonguy30 wrote:Does anyone know if it is blocked by any of the adblock plus filter subscriptions? It is a javascript code anyway.

Not that I know. A formal filter is difficult because Canvas (the script) is not harmful in itself, depends what is done about it, hence an Adblock filter dedicated to Canvas would require one rule and thousands of exceptions.

CanvasBlocker add-on lets the user decide and optionally stick a domain on white or black list. For example the default white list includes ^https?://(\w+\.)*google.[a-z]+/maps, because google maps called via google.tld/maps needs Canvas (when "old" google maps maps.google.tld does not)

Easy Privacy List says it "completely removes all forms of tracking from the internet, including web bugs, tracking scripts and information collectors, thereby protecting your personal data." I have it installed but don't know what to look for in the list. I wanted the version without whitelisting but that one appears to be defunct. (I'm using ABE not ABP but the list is the same as far as I can tell.)

Parsifal, I did understand that it (probably) would not be blocked when I enable a site in NoScript. But, I'm thinking that once JS is enabled you are giving a site access to lots of code tricks, so does one more matter? And I do block JS by default, and it is more trouble but for me that's OK. I already have 6 blocking extensions interacting, so I try to only add more if really needed.

mikeysc wrote:Parsifal, I did understand that it (probably) would not be blocked when I enable a site in NoScript. But, I'm thinking that once JS is enabled you are giving a site access to lots of code tricks, so does one more matter? And I do block JS by default, and it is more trouble but for me that's OK. I already have 6 blocking extensions interacting, so I try to only add more if really needed.

OK, mikesyc. Well, it's up to the user. Be it scripts (Canvas included), cookies and whatever had been done to ease the use of the web, the display and functionality of pages, most is diverted from primary aims. Good and bad is simple, but good occasionally bad and bad occasionally good is complex if not complicated. Rules with exceptions are no longer rules but plain pragmatism. Perhaps this is today's world, and perhaps this approach is healthier than the old demagogy of black/white. It's also the basis of intelligence, whatever meaning you give to that word.