Closed Bug 1422862 Opened 8 years ago Closed 4 months ago

Make OffscreenCanvas respect Canvas Permission Prompt so you don't always get a placeholder

Categories

(Core :: Graphics: Canvas2D, enhancement, P3)

Product:
Core
Component:
Graphics: Canvas2D
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
141 Branch
Tracking Flags:
Tracking Status
firefox-esr140 --- fixed
firefox59 --- wontfix
firefox141 --- fixed

People

(Reporter: tjr, Assigned: fkilic)

References

(Blocks 1 open bug)

Details

(Whiteboard: [fingerprinting][gfx-noted][fp-triaged][fpp:m8])

Attachments

(6 files)

Bug 1422862: Check canvas permission in offscreen canvas. r?tjr
48 bytes, text/x-phabricator-request
Details | Review
Bug 1422862: Show canvas permission prompt for offscreen canvases. r?tjr
48 bytes, text/x-phabricator-request
Details | Review
Bug 1422862: Implement IsImageExtractionAllowed_impl. r?tjr
48 bytes, text/x-phabricator-request
Details | Review
Bug 1422862: Check canvas permission in offscreen canvas. r?tjr
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr140+
Details | Review
Bug 1422862: Show canvas permission prompt for offscreen canvases. r?tjr
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr140+
Details | Review
Bug 1422862: Implement IsImageExtractionAllowed_impl. r?tjr
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr140+
Details | Review
We have a permission prompt for Canvas we added in Bug 967895. Some light testing indicates that OffscreenCanvas does not trigger the prompt.
Whiteboard: [fingerprinting] → [fingerprinting][gfx-noted]
Here is a page to reproduce this issue, https://lyuyuan92.github.io/test_canvas_on_and_off_screen.html With gfx.offscreencanvas.enabled and privacy.resistFingerprinting set to True, Firefox allows OffscreenCanvas API call without prompting the user.
Blocks: uplift_tor_fingerprinting
Whiteboard: [fingerprinting][gfx-noted] → [fingerprinting][gfx-noted][fp-triaged]

This test case works with my latest patches (in flight on autoland still) but there is no permissions prompt still.

If I understand this correctly, should the prompt only show when the raw pixels are exposed to JavaScript? I presume that is why copyOne triggers the prompt, because this line pulls out the data:

https://github.com/0x00A5/lyuyuan92.github.io/blob/master/test_canvas_on_and_off_screen.html#L30

but createTwo moves it around via an ImageBitmap, it doesn't:

https://github.com/0x00A5/lyuyuan92.github.io/blob/master/test_canvas_on_and_off_screen.html#L40-L41

I would only expect the prompt to be generated for Canvas2D.getImageData and HTMLCanvasElement.toDataURL (maybe HTMLCanvasElement.toBlob?). So it doesn't seem like there is actually a problem here....

Yes, this sounds like we misunderstood the feature when we initially filed this bug (so as not to forget about it.) If there is no way for an OffscreenCanvas to actually give its rendered content via an API (like there is for canvas through e.g. toDataURL), and all it can do it stick it into a canvas (where permission prompts work) or another object that can't be read via Javascript (like an <img> tag) - then we are fine here.

Flags: needinfo?(aosmond)
Severity: normal → S3

If there is no way for an OffscreenCanvas to actually give its rendered content via an API (like there is for canvas through e.g. toDataURL),

There are ways to get the rendered content out of the OffscreenCanvas, e.g. convertToBlob() or transferToImageBitmap().

It seems like we currently check ShouldResistFingerprinting(RFPTarget::CanvasImageExtractionPrompt) in OffscreenCanvas::ConvertToBlob, but there doesn't seem to be any way to actually show a prompt. (Which might be tricky to do, I guess, because OffscreenCanvas can run on a Worker thread) So to me it seems like we will always get a placeholder image when using this API.

Flags: needinfo?(tihuang)

So transferToImageBitmap gives you an ImageBitmap, and I get the impression from MDN that the only useful thing you can do with that is put it into a canvas. (Which will lead to the normal canvas extraction paths.) I guess you can measure the width and height, which could leak data - except maybe these values are fixed to the initial size you specify when you create the OffscreenCanvas...?

convertToBlog gives you a Blob, which I see does have e.g. arrayBuffer() which will let you see the actual contents. That's definitely a problem. You're right - we don't do any permission checking here so you're always getting a placeholder.

OffscreenCanvas has a GlobalObject associated with it when its created, so it seems like we ought to be able to call IsImageExtractionAllowed?

OffscreenCanvas has a GlobalObject associated with it when its created, so it seems like we ought to be able to call IsImageExtractionAllowed?

The current code in IsImageExtractionAllowed is unlikely to work without changes in a Worker context. It seems to require a Document and I think not all Workers are associated with a document (but I keep forgetting why, maybe SharedWorker or ServiceWorkers?). We would probably also need to dispatch the call to the main thread.

We might be able to trigger the canvas prompt from the worker context. If the canvas prompt is requested from a content process, it sends an IPC message to the parent process via the browserChild. So, if we can access the browserChild in the worker context, we can use it to show the prompt.

The workerLoadInfo maintains a browserChild list, so we probably can use an active browserChild to request canvas prompt. However, this might not work for service workers because it could run without any opened tab for its origin. In this case, we can only check the canvas permission.

Flags: needinfo?(tihuang)

Hey,

my investigation in Element (the 'official' Matrix client) yielded finding this bug, so I'd add its issue link here, in hopes of this getting a bit more priority:

https://github.com/element-hq/element-web/issues/23936

Tom, you were just in this code, it seems like it might be an easy fix?

Flags: needinfo?(aosmond) → needinfo?(tschuster)
Whiteboard: [fingerprinting][gfx-noted][fp-triaged] → [fingerprinting][gfx-noted][fp-triaged][fpp:m8]

I don't think this is easy per se. While can use the BrowserChild to prompt for canvas extraction permission, we actually need to use nsIPermissionManager to query for it. That interface does not look thread-safe.

Flags: needinfo?(tschuster)
Summary: Make OffscreenCanvas respect Canvas Permission Prompt → Make OffscreenCanvas respect Canvas Permission Prompt so you don't always get a placeholder
Assignee: nobody → fkilic
Status: NEW → ASSIGNED
Blocks: 1918690

(Given there are known real world breakages)

Webcompat Priority: --- → ?
Keywords: webcompat:platform-bug

Actually never mind, this is disabled by default.

Webcompat Priority: ? → ---
Keywords: webcompat:platform-bug

The following patches are waiting for review from an inactive reviewer:

ID Title Author Reviewer Status
D222686 Bug 1422862: Check canvas permission in offscreen canvas. r?tjr fkilic jgilbert: Disabled
D222687 Bug 1422862: Show canvas permission prompt for offscreen canvases. r?tjr fkilic jgilbert: Disabled
D227385 Bug 1422862: Implement IsImageExtractionAllowed_impl. r?tjr fkilic jgilbert: Disabled

:fkilic, could you please find another reviewer or abandon the patch if it is no longer relevant?

For more information, please visit BugBot documentation.

Flags: needinfo?(fkilic)

Changed it to gfx-reviewers

Flags: needinfo?(fkilic)
Pushed by amarc@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/414cd1ce2e11 https://hg.mozilla.org/integration/autoland/rev/cd5ee27a8527 Revert "Bug 1422862: Implement IsImageExtractionAllowed_impl. r=tjr,gfx-reviewers,nical" for causing bc failures @ browser_etp_permission.js

Backed out for causing bc failures @ browser_etp_permission.js

Flags: needinfo?(fkilic)

Thank you I'll look into it

Flags: needinfo?(fkilic)

https://hg.mozilla.org/mozilla-central/rev/386dab1ef198
https://hg.mozilla.org/mozilla-central/rev/492226fffccc
https://hg.mozilla.org/mozilla-central/rev/c4efb37a6427

Status: ASSIGNED → RESOLVED
Closed: 4 months ago
status-firefox141: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 141 Branch
QA Whiteboard: [qa-triage-done-c142/b141]

This patch uses a Runnable to get "canvas" permission for the given principal in the main thread.
The runnable is only dispatched if we are not in main thread.

Original Revision: https://phabricator.services.mozilla.com/D222686

Attachment #9498383 - Flags: approval-mozilla-esr140?

This patch implements IsImageExtractionAllowed for Offscreen Canvas. It gets the windowId from offscreen canvas, queries it, attempts to get window's document, shows canvas permission prompt if successful.

Original Revision: https://phabricator.services.mozilla.com/D222687

Attachment #9498384 - Flags: approval-mozilla-esr140?
Attachment #9498387 - Flags: approval-mozilla-esr140?

To be clear, we are requesting uplift to put this into ESR for Tor. It affects he behavior of Resist Fingerprinting, but not for supported FF users. It doesn't need to be uplifted, but given that it's been stable for us and doesn't change the functionality of ESR we thought we'd ask.

Attachment #9498387 - Flags: approval-mozilla-esr140? → approval-mozilla-esr140+
Attachment #9498384 - Flags: approval-mozilla-esr140? → approval-mozilla-esr140+
Attachment #9498383 - Flags: approval-mozilla-esr140? → approval-mozilla-esr140+
Regressions: 1976447
Regressions: 1985073
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: