Canvas Fingerprinting

[freddyb]

(This repo seems to have some sort of privacy tendency, so I'll rant a bit about Canvas Fingerprinting. If this is not a welcome forum, feel free to close this issue)

Canvas fingerprinting is a tricky problem. Websites can use the Canvas API to draw pixels and use system fonts as well as hardware specific rendering behavior to track a user and assign them a specific fingerprint, which has enough entropy to recognize them in the future (see wikipedia)

I don't think you want to disable canvas, completely though. It's heavily used in many useful apps. The Tor Browser (Firefox + patches from the Tor project) tackles this by disabling reading from the canvas, which you can allow for each individual call (you get a "doorhanger UI", which is what most people know from Geolocation).

[jomo]

See also: evercookie and Tracking using ETags.

[LazerPanther]

CanvasBlocker via GitHub CanvasBlocker via addons.mozzilla

This add-on allows users to prevent websites from using the Javascript API to fingerprint them. Users can choose to block the API entirely on some or all websites (which may break some websites) or just block or fake its fingerprinting-friendly readout API.

It has the following modes:

• block readout API
• fake readout API
• ask for readout API permission
• block everything
• allow only white list
• ask for permission
• block only black list
• allow everything

[valpackett]

Privacy Badger 1.0 disables third party domains that do this

[Atavic]

Another option is Canvas Defender. The differences from CanvasBlocker are discussed here: CanvasBlocker vs Canvas Defender.

Also, PDF files may trigger canvas fingerprinting.