Canvas Blocker will cause website auto jump failure

crptjm59810 commented 6 years ago

Canvas Blocker has a bug on chrome, i tested it also on firefox has this bug. Canvas Blocker will cause website auto jump failure. you can reproduce in this link: http://codersclub.org/discuzx/member.php?mod=register no matter login or register, page does not auto jump. Maybe make a option to keep a same Canvas Fingerprint for a while like 5 minutes would solve it.

ganlvtech commented 5 years ago

DiscuzX use a XML document as response. It will cause script injected. But we only want inject.js inject into HTML.

ganlvtech commented 5 years ago

Description

A <form> target to an iframe. And then submit the form. Iframe got the result in xml format. Because it doesn't have document.documentElement.dataset attribute.

Steps to reproduce

Create a form element.
Create an iframe element.
Set the form target to the iframe.
Set the form url to somewhere that may response an XML result.
Post the form.

index.html

<iframe name="my_iframe" onload="my_iframe_onload()"></iframe>
<form action="submit.php" method="POST" target="my_iframe">
    <input type="submit">
</form>
<script>
    function my_iframe_onload() {
        console.log(document.getElementsByName("my_iframe")[0].contentWindow.document.documentElement.textContent);
    }
</script>

submit.php

<?php
header('Content-Type: text/xml');
?><?xml version="1.0" encoding="UTF-8"?>
<root><![CDATA[Hello]]></root>

Excepted result

Hello

Actual result

{
  const toBlob = HTMLCanvasElement.prototype.toBlob;
  const toDataURL = HTMLCanvasElement.prototype.toDataURL;

  ......

  document.documentElement.dataset.htGfd = true;
}Hello

System Information

Windows 10 64-bit Chrome 73

joue-quroi / canvas-fingerprint-blocker