Issues with Canvas Poisoning

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
User avatar
noellarkin
Fanatic
Fanatic
Posts: 111
Joined: 2021-07-27, 04:20

Issues with Canvas Poisoning

Unread post by noellarkin » 2024-06-06, 10:17

IIRC Palemoon was the first browser to come up with a canvas poisoning feature, to resist browser fingerprinting.
However, it seems these days, one of the ways platforms check for spoofed canvas is by checking if the canvas hash changes on subsequent page loads. Canvas hash may change over time, but if it changes between 2 page loads, then it's a red flag that the canvas is being poisoned. Is there any way to implement canvas poisoning that is atleast consistent for one browser session?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 36071
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Issues with Canvas Poisoning

Unread post by Moonchild » 2024-06-06, 10:42

noellarkin wrote:
2024-06-06, 10:17
Is there any way to implement canvas poisoning that is atleast consistent for one browser session?
Of course there is, but a browser session would be (much) too long of a period because one browser session allows extensive tracking across sites. So if we'd want to do this, then we'd need to use a different metric to determine when to "not be random".
"Just because you are offended doesn't mean you are right." -- unknown
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
noellarkin
Fanatic
Fanatic
Posts: 111
Joined: 2021-07-27, 04:20

Re: Issues with Canvas Poisoning

Unread post by noellarkin » 2024-06-06, 11:24

could that be a setting left for the user to determine? Eg: refresh poisoned canvas every x hours/days?
OR
completely manual, like a button in preferences that says "refresh canvas"

User avatar
Bilbo47
Lunatic
Lunatic
Posts: 255
Joined: 2017-11-18, 04:24

Re: Issues with Canvas Poisoning

Unread post by Bilbo47 » 2024-06-06, 19:49

Moonchild wrote:
2024-06-06, 10:42
a browser session would be too long of a period because one browser session allows extensive tracking across sites.
Agree. Blue sky idea: What about per-site within a session? Unsure if this even makes sense.

User avatar
andyprough
Keeps coming back
Keeps coming back
Posts: 805
Joined: 2020-05-31, 04:33

Re: Issues with Canvas Poisoning

Unread post by andyprough » 2024-06-06, 23:15

noellarkin wrote:
2024-06-06, 11:24
could that be a setting left for the user to determine? Eg: refresh poisoned canvas every x hours/days?
OR
completely manual, like a button in preferences that says "refresh canvas"
Have you tried the Canvas Blocker Legacy extension that's on the Pale Moon add-on's page? https://addons.palemoon.org/addon/canvasblocker-legacy/

It's got a lot of options - whitelisting sites, changing the mode you use to block, changing the random number persistence, protecting different API's. I don't always use it, but when I do I find that any problems I have with websites are easily resolved by whitelisting them.

User avatar
noellarkin
Fanatic
Fanatic
Posts: 111
Joined: 2021-07-27, 04:20

Re: Issues with Canvas Poisoning

Unread post by noellarkin » 2024-06-07, 04:27

andyprough wrote:
2024-06-06, 23:15
Have you tried the Canvas Blocker Legacy extension that's on the Pale Moon add-on's page? https://addons.palemoon.org/addon/canvasblocker-legacy/
I have. IIRC there are a few modes - - one mode does the random poisoning thing. The other mode returns a persistent faked canvas value, but it's the same value that can never be refreshed/changed.

User avatar
noellarkin
Fanatic
Fanatic
Posts: 111
Joined: 2021-07-27, 04:20

Re: Issues with Canvas Poisoning

Unread post by noellarkin » 2024-06-07, 04:29

noellarkin wrote:
2024-06-06, 11:24
completely manual, like a button in preferences that says "refresh canvas"
It seems to me that this would be the easiest to implement - -leave it up to the user to determine how frequently they want to refresh the canvas.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 36071
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Issues with Canvas Poisoning

Unread post by Moonchild » 2024-06-07, 10:34

noellarkin wrote:
2024-06-07, 04:29
noellarkin wrote:
2024-06-06, 11:24
completely manual, like a button in preferences that says "refresh canvas"
It seems to me that this would be the easiest to implement - -leave it up to the user to determine how frequently they want to refresh the canvas.
It's the least desirable and actually a lot more complicated to implement (requires permanently storing the poisoning somewhere, requires UI additions, l10n, etc.). The whole point of anti-fingerprinting stuff is that it happens automatically in the background. I have a way to improve this pretty easily since it's all pseudorandom (and not truly random) anyway so the poisoning can be made to behave consistently without a lot of added complexity. I'll just have to use a wet finger to set some sane defaults for rotation.

EDIT: Filed Issue #2524 (UXP) making the granularity user-configurable is actually easy.
"Just because you are offended doesn't mean you are right." -- unknown
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
noellarkin
Fanatic
Fanatic
Posts: 111
Joined: 2021-07-27, 04:20

Re: Issues with Canvas Poisoning

Unread post by noellarkin » 2024-06-07, 14:42

Moonchild wrote:
2024-06-07, 10:34
EDIT: Filed Issue #2524 (UXP) making the granularity user-configurable is actually easy.
Thank you!

User avatar
andyprough
Keeps coming back
Keeps coming back
Posts: 805
Joined: 2020-05-31, 04:33

Re: Issues with Canvas Poisoning

Unread post by andyprough » 2024-06-18, 23:30

Moonchild wrote:
2024-06-07, 10:34
EDIT: Filed Issue #2524 (UXP) making the granularity user-configurable is actually easy.
So now that we have the canvas.poisondata.interval preference with Pale Moon 33.2.0 I wonder what the ideal interval will be? I think the 5 minute default seems good, but if we make it an 8 hour interval and we restart the browser several times will we be able to get rotation on the poisoning with each browser restart? Or will it stay the same throughout the entire 8 hour period regardless of restarts?

Just curious.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 36071
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Issues with Canvas Poisoning

Unread post by Moonchild » 2024-06-18, 23:38

andyprough wrote:
2024-06-18, 23:30
if we make it an 8 hour interval and we restart the browser several times will we be able to get rotation on the poisoning with each browser restart? Or will it stay the same throughout the entire 8 hour period regardless of restarts?
It will survive browser restarts; it's purely time-locked the way I've implemented it.

User avatar
andyprough
Keeps coming back
Keeps coming back
Posts: 805
Joined: 2020-05-31, 04:33

Re: Issues with Canvas Poisoning

Unread post by andyprough » 2024-06-19, 03:05

Moonchild wrote:
2024-06-18, 23:38
It will survive browser restarts; it's purely time-locked the way I've implemented it.
OK good to know, thanks!

Post Reply