Canvas::measureText() fingerprint deception not working

klack commented 1 month ago

OS/Platform

Debian, Ubuntu, and derivatives

Installed

Flatpak

Version

129.0.6668.70

Have you tested that this is not an upstream issue or an issue with your configuration?

[ ] I have tried reproducing this issue in Chrome and it could not be reproduced there
[ ] I have tried reproducing this issue in vanilla Chromium and it could not be reproduced there
[ ] I have tried reproducing this issue in ungoogled-chromium with a new and empty profile using --user-data-dir command line argument and it could not be reproduced there

Description

Canvas::measureText() fingerprint deception does not appear to be working

How to Reproduce?

Enable Canvas::measureText() fingerprint deception at chrome://flags/#fingerprinting-canvas-measuretext-noise
Visit Font Fingerprinting test
Verify Fingerprint does not change on page referesh

Actual behaviour

The font fingerprint does not change

Expected behaviour

A new hash should be calculated on refresh

Relevant log output

No response

Additional context

No response

PF4Public commented 1 month ago

Why would you expect it to be effective for font fingerprinting? It isn't.

klack commented 1 month ago

Why would you expect it to be effective for font fingerprinting? It isn't.

We can read both the feature and the page linked, together:

"Scale the output values of Canvas::measureText() with a randomly selected factor in the range -0.0003% to 0.0003%, which are recomputed on every document initialization."

"Font fingerprinting techniques rely on measuring the dimensions of HTML elements filled with text or single Unicode glyphs."

klack commented 1 month ago

I suppose what I am seeking is something else entirely, so I will close this.

Ahrotahn commented 1 month ago

I think the confusion is that there are multiple different methods of font fingerprinting and that flag only deals with canvas fingerprinting. So the test you'd want to use is: https://browserleaks.com/canvas

The test you were using is for font enumeration, and there aren't any easy ways of dealing with that. Some browsers tried to deal with that by supplying a small set of fonts that are the only ones allowed to be used but that ends up breaking a lot of sites.

PF4Public commented 1 month ago

Some browsers tried to deal with that by supplying a small set of fonts that are the only ones allowed to be used but that ends up breaking a lot of sites.

AFAIK Cromite does just that with the end-result being all websites use the same set of fonts and the web becomes "tasteless" (except for websites that don't use local fonts and rely on remote ones instead), but I didn't notice any real breakages, so that is definitely doable, but as usual it costs the convenience and usability. And yes, if you wonder, it can effortlessly pass the test mentioned.

ungoogled-software / ungoogled-chromium