The app reads from the canvas, which triggers the permission dialog and reads random garbage. If this is sent to the backend, that garbage will be saved instead.
Expected behavior
Maybe the app can check if it has permissions before saving? And preventing + informing the user if it doesn't have them.
In any case, garbage data shouldn't be sent.
How to test:
(Instructions for Firefox) Go to "about:config", search for privacy.resistFingerprinting and set it to true. When trying to save the drawing, the image will be garbage.
Actual behavior
The app reads from the canvas, which triggers the permission dialog and reads random garbage. If this is sent to the backend, that garbage will be saved instead.
Expected behavior
Maybe the app can check if it has permissions before saving? And preventing + informing the user if it doesn't have them. In any case, garbage data shouldn't be sent.
How to test:
(Instructions for Firefox) Go to "about:config", search for
privacy.resistFingerprintingand set it to true. When trying to save the drawing, the image will be garbage.