[webkit-changes] [WebKit/WebKit] b680f8: Add general quirk for canvas2d fingerprinting

Matthew Finkel noreply at github.com
Thu Aug 31 12:06:14 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: b680f873f60959c6077d9a9297ab933a35d7bbf4
      https://github.com/WebKit/WebKit/commit/b680f873f60959c6077d9a9297ab933a35d7bbf4
  Author: Matthew Finkel <sysrqb at apple.com>
  Date:   2023-08-31 (Thu, 31 Aug 2023)

  Changed paths:
    M Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml
    M Source/WebCore/html/HTMLCanvasElement.cpp
    M Source/WebCore/page/Quirks.cpp
    M Source/WebCore/page/Quirks.h
    M Source/WebCore/platform/Logging.h
    M Tools/TestWebKitAPI/Tests/WebKit/AdvancedPrivacyProtections.mm

  Log Message:
  -----------
  Add general quirk for canvas2d fingerprinting
https://bugs.webkit.org/show_bug.cgi?id=260842
rdar://113039941

Reviewed by Wenson Hsieh.

In 266400 at main I added a quirk for canvas fingerprinting that targeted specific
pages on two specific domains. As a follow up to that, this patch expands the
application of that quirk broadly by comparing attributes of the script instead
of looking at the specific document URL. This step is important because we know
protections against canvas fingerprinting cause breakage on some sites, and
there is likely more greater impact than we're aware at this time.

Similar to the current behavior, this patch relies on matching the last drawn
text string. In addition, it compares the dimensions of the canvas and the size
of the script. These characteristics seem sufficiently descriptive that we can
safely use them for identifying the target script.

This patch also introduces the CanvasFingerprintingQuirkEnabled preference for
controlling whether the quirk is available. It also adapts the existing API
test.

* Source/WTF/Scripts/Preferences/UnifiedWebPreferences.yaml:
* Source/WebCore/html/HTMLCanvasElement.cpp:
(WebCore::HTMLCanvasElement::toDataURL):
* Source/WebCore/page/Quirks.cpp:
(WebCore::Quirks::advancedPrivacyProtectionSubstituteDataURLForScriptWithFeatures const):
(WebCore::Quirks::shouldEnableCanvas2DAdvancedPrivacyProtectionQuirk const): Deleted.
(WebCore::Quirks::advancedPrivacyProtectionSubstituteDataURLForText const): Deleted.
* Source/WebCore/page/Quirks.h:
* Source/WebCore/platform/Logging.h:
* Tools/TestWebKitAPI/Tests/WebKit/AdvancedPrivacyProtections.mm:
(TestWebKitAPI::TEST):

Canonical link: https://commits.webkit.org/267513@main

More information about the webkit-changes mailing list