Hi Chris! Canvas is a very popular GPU fingerprinting vector and allowing it offscreen sounds like a more convenient way to perform such an attack on user privacy. Do you know if Blink or Gecko have elaborated on this? What is your assessment? Given the cross-engine effort to fight device fingerprinting and WebKit and Gecko’s recently published tracking prevention policies, we should do a threat analysis of this feature. Regards, John
On Oct 10, 2019, at 4:24 AM, Chris Lord <clord@igalia.com> wrote:
Hi all,
I've spent the last month or so 'finishing' the implementation of OffscreenCanvas[1], based on Žan Doberšek's work from a year ago[2]. OffscreenCanvas is an API for being able to use canvas drawing without a visible canvas, and from within Workers. It's supported by Blink and has partial support in Gecko.
It's at the point now where I'd consider it a finished draft - it is almost fully implemented and passes the majority of relevant tests in a debug build without crashing, but has some areas that need completion on other platforms (async drawing on non-Linux) and some missing parts (Web Inspector, ImageBitmapRenderingContext). It almost certainly needs reworking in places.
My work is on GitHub[3] - I'd like to solicit reviews and comment. Some of the bugs hanging off [2] have patches that need review and I think are near ready to being landable as the foundation of this work. It is broadly split up like so:
- Refactor to move functionality from HTMLCanvasElement to CanvasBase - Refactor to not unnecessarily require HTMLCanvasElement in places - Implement OffscreenCanvas functionality - Make font loading/styling usable from a Worker and without a Document - Implement AnimationFrameProvider on DedicatedWorkerGlobalScope - Implement asynchronous drawing updates on placeholder canvases
I expect the font-related stuff to be the most contentious, and my AnimationFrameProvider implementation may be too trivial (but might be ok for a first go?)
All feedback appreciated. Best regards,
Chris
[1] https://html.spec.whatwg.org/multipage/canvas.html#the-offscreencanvas-inter... [2] https://bugs.webkit.org/show_bug.cgi?id=183720 [3] https://github.com/Cwiiis/webkit/tree/offscreen-canvas _______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev