Uploading images via Mullvad browser makes them unrecognizable

[ghost]

Uploading images on any website via Mullvad browser makes images unrecognizable. Websites I tried are Instagram, eBay, Twitter and others. Works without issues with other browsers.

OS: Windows 11 Mullvad Browser Version: 12.0.4

Example on eBay:

Twitter:

[Thorin-Oakenpants]

whilst on the site, click the canvas exception (this is browser session only in MB)

• here's the steps and a pic - https://github.com/arkenfox/user.js/wiki/3.3-Overrides-[To-RFP-or-Not]#-rfp - the bit about canvas

[ghost]

whilst on the site, click the canvas exception (this is browser session only in MB)

* here's the steps and a pic - [https://github.com/arkenfox/user.js/wiki/3.3-Overrides-[To-RFP-or-Not]#-rfp](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-rfp) - the bit about canvas

That works. Thank you <3

[LinuxOnTheDesktop]

I think that the page you mean to link is this one - and that the part of the page at issue is the section headed, 'BREAKAGE'. That section tells one how to set a permanent per-site override. I presume that somehow security would be weakened were the feature somehow to be disabled for all sites.

1) Surely this breakage needs to be advertised to users of Mullvad-Browser.

2) 2a) The webpage at issue makes it somewhat hard to see how one should start to set a (temporary or permanent) per-site exception - but, in short: press ctrl-i. 2b) So far as I can see, the page does not actually inform the user as to what to do with the following resultant list of options (and note also that one must selected the 'permissions' tab).

[Thorin-Oakenpants]

I presume that somehow security would be weakened were the feature somehow to be disabled for all sites

There is no means for MB users to disable canvas protection globally (excluding disabling RFP itself)

TB/MB/FFusers-with-RFP all need those canvas unbreaking steps somewhere. It is not, repeat NOT, a security issue. It is a FPing issue. It's a bit more nuanced than just saying what I said on the wiki page as below

Assuming it is even fingerprinting and the exact same canvas test is widespread, this does not compromise your fingerprint - it is a single metric and only on those sites you exempt.

There are/may be issued with cascading "permissions" - e.g 3rd party iframes (I would need to check), and then if you have logged into a site and you exempt, it may still not be your real ID, and there are cases where it ids prudent to still spoof. It may be possible in the future to subtly randomize if exempted

PS: the best method to indicate canvas as a possible issue, and to control it, is the canvas icon in the urlbar - as per my pic on the wiki

[LinuxOnTheDesktop]

@Thorin-Oakenpants: there is a danger that your comments, which are of a technical nature, will obscure the points of mine that I numbered '1' and '2' respectively. Those points summarise thusly: the Mullvad Browser needs to tell users about this breakage and to advise them - clearly and succinctly - what they might do about it.

[Thorin-Oakenpants]

This is a closed issue ... and has now for some reason evolved into is a discussion about how to inform users - not the actual info that will be presented. Mullvad already knows, and will be improving the faq

My first point was to correct you on the issue of security. The second was to once again, show the simplest method (urlbar canvas icon) as it is 1) an instant visual check/clue and 2) a faster method to toggle. All the rest is for other readers. As someone who has been working with Tor Uplift, TB, MB, etc - for many years - including UX - I don't need to be educated on this subject thank you

[ruihildt]

@LinuxOnTheDesktop Canvas breakages are hard to reliably communicate to the users, as the behavior of the notifications depends on multiple factors.

In general, we're looking into improving the user experience, but it will be a long process.

[LinuxOnTheDesktop]

@ruihildt

Right. Still: the browser, or some release notes, or a download page, or similar, could tell the prospective user that X, Y and Z might be broken.

(EDITED to make a small change to punctuation.)

[ruihildt]

You're right, and we will continue updating our FAQ based on your and other user's feedback. I'll be looking into creating an FAQ on what to do when something doesn't work.

I've started adding site breakage tag to issues related to broken experience as well to get a better sense of it as well.