因使用一个工具失败而探索到的关于隐私保护的问题

[Jasmine-liang]

使用WechatMomentScreenshot

这是一个开源的朋友圈转发截图生成器，适用于当你被迫转发文案集赞才能使用某种产品的情景。我在Chrome和Firefox都简单手动测试了一下功能。发现在Chrome上生成不了图片。我就去项目的issue逛了一下看到有人是因为使用广告拦截插件而看不到生成的图片。我把注意点转向了Chrome上安装的插件🤔

找到你了！ CanvasFingerprintBlock插件

非常粗暴地把每个插件都试了一遍，最后发现是这个插件在起作用。去Chrome web store看这个插件的介绍，再结合项目main.js里对toDataURL() 的使用，基本上这个插件是在防止生成的canvas向网站发送用户的个人数据。

Such websites do this by painting an image on a hidden HTML element and then taking a snapshot of it and posting the snapshot back to themselves. Because the exact pixel values in the drawn canvas can differ subtly from one set of hardware to another, these websites can use those differences to distinguish between visitors as well as to recognize specific visitors from one visit to the next. 我就很好奇是怎么从生成的canvas中的这些pixel values来辨别用户的。于是，我找到了一些解释。

Canvas fingerprinting的基本原理

Canvas fingerprinting works by exploiting the HTML5 canvas element: when a user visits a website their browser is instructed to “draw” a hidden line of text or 3D graphic that is then rendered into a single digital token, a potentially unique identifier to track users without any actual identifier persistence on the machine. Variations on installed GPU model, operating system and overall system performances cause the variations in the rendered digital token.

参考：

• https://blokt.com/guides/browser-fingerprinting

• https://en.wikipedia.org/wiki/Device_fingerprint

我还从 https://coveryourtracks.eff.org/ 这个网址上测试出我的Timezone, BrowserPlugin details（存在插件漏洞被利用风险）, Device memory等很多个人信息呢:(

可以做点小小抵抗

除了 Coveryyourtracks 这篇文章提到的措施外，依据不同的需求分开使用浏览器也是个办法。