[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #18390 [Tor Browser]: PDF.js triggers canvas fingerprinting warning for some PDFs



#18390: PDF.js triggers canvas fingerprinting warning for some PDFs
-------------------------+---------------------------
 Reporter:  xcolour      |          Owner:  tbb-team
     Type:  defect       |         Status:  closed
 Priority:  Medium       |      Milestone:
Component:  Tor Browser  |        Version:
 Severity:  Normal       |     Resolution:  not a bug
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
  Sponsor:               |
-------------------------+---------------------------
Changes (by cypherpunks):

 * status:  new => closed
 * resolution:   => not a bug


Comment:

 Replying to [ticket:18390 xcolour]:
 > It looks like this was fixed in #10570 for the Firefox-local version of
 PDF.js, but (perhaps intentionally) not for PDF.js if it's being served by
 the website.

 Naturally. Tor Project developers can only vouch for the code they ship,
 not whatever any random website pushes to you.

 > Is this a bug in Tor Browser's canvas fingerprinting detection, or is
 what PDF.js is doing simply indistinguishable from a fingerprinting
 attempt?

 It is indistinguishable because fingerprinting is (potentially) what the
 site is doing. Tor Browser cannot guess "intent" so it has to be
 conservative and block access to canvas.

 It's not a bug. Tor Browser is doing what it's supposed to do.

 Now, if the pdf.js guys are willing to workaround it, they could try to
 avoid looking "into" the canvas: no getImageData, no
 to{Blob,Url,File,...}, etc.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18390#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs