Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Firefox: Thumbnails generated with canvas are random data when privacy.resistFingerPrinting and canvas access is enabled #23936

Open
karolyi opened this issue Dec 7, 2022 · 10 comments
Labels
A-Media O-Uncommon Most users are unlikely to come across this or unexpected workflow S-Minor Impairs non-critical functionality or suitable workarounds exist T-Defect X-Regression

Comments

@karolyi
Copy link

karolyi commented Dec 7, 2022

Steps to reproduce

Hey,

Not sure this is a Firefox bug, or a bug in the way Element deals with locally generated thumbnails. Here's how to reproduce:

  • Enable privacy.resistFingerprinting, and disable privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts in firefox (so the canvas access request could be shown)
  • Post an image/video with big enough resolution so that element will want to create a thumbnail for it
  • Instead of the thumbnail, garbage (mostly stripes) appears

My former related comment on a closed issue: #9605 (comment)

Outcome

What did you expect?

A thumbnail should have been generated properly.

What happened instead?

Random data shown as thumbs on all ends:
image

Operating system

Firefox with Linux, but I think it's OS independent

Browser information

Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0

URL for webapp

app.element.io

Application version

it's the latest element

Homeserver

doesn't matter, it's a client side issue

Will you send logs?

Yes

@karolyi
Copy link
Author

karolyi commented Dec 7, 2022

It seems that other canvas using sites handle canvas access properly, like this site: https://browserleaks.com/canvas

I think this must be an element bug.

@turt2live turt2live added X-Regression S-Minor Impairs non-critical functionality or suitable workarounds exist A-Media O-Uncommon Most users are unlikely to come across this or unexpected workflow labels Dec 7, 2022
@fxbrit
Copy link

fxbrit commented Dec 9, 2022

hello! I reproduced the same issue on my end.

FYI the uploaded images are not actually broken once opened, it's just the thumbnails; since user avatars are also rendered correctly I can confidently say canvas permission in Firefox is working fine.

@t3chguy
Copy link
Member

t3chguy commented Dec 12, 2022

since user avatars are also rendered correctly I can confidently say canvas permission in Firefox is working fine.

User avatars aren't rendered using canvases though? They're just straight up <img /> tags of the avatars. Canvases are used to generate thumbnails and other such mediums, not to render them. So if the canvas implementation is disabled or made to return invalid data then it is unavoidable.

@fxbrit
Copy link

fxbrit commented Dec 12, 2022

I didn't express myself well at all here, sorry. everything I said above applies to the case in which canvas permission has been allowed to Element using Firefox's UI.

I mentioned user avatars because before one allows canvas access their background looks striped, but after you allow it and reload the page it's a solid color.

They're just straight up <img /> tags of the avatars.

is this also true for the auto-generated ones that are simply a letter + a solid color (eg. in this issue we have a blue background and a white letter K)?

@t3chguy
Copy link
Member

t3chguy commented Dec 12, 2022

The auto-generated ones do indeed use canvas to generate the data uri for the <img /> tag

clarkf added a commit to clarkf/matrix-react-sdk that referenced this issue Jan 26, 2023
Firefox users with `resistFingerprinting` enabled were seeing random noise
for rooms and users without avatars. There's no real reason to use data
URLs to present flat colors.

This converts non-image avatars to inline blocks with background colors.

See element-hq/element-web#23936

Signed-off-by: Clark Fischer <clark.fischer@gmail.com>
clarkf added a commit to clarkf/matrix-react-sdk that referenced this issue Jan 26, 2023
Firefox users with `resistFingerprinting` enabled were seeing random noise
for rooms and users without avatars. There's no real reason to use data
URLs to present flat colors.

This converts non-image avatars to inline blocks with background colors.

See element-hq/element-web#23936

Signed-off-by: Clark Fischer <clark.fischer@gmail.com>
clarkf added a commit to clarkf/matrix-react-sdk that referenced this issue Jan 27, 2023
Firefox users with `resistFingerprinting` enabled were seeing random noise
for rooms and users without avatars. There's no real reason to use data
URLs to present flat colors.

This converts non-image avatars to inline blocks with background colors.

See element-hq/element-web#23936

Signed-off-by: Clark Fischer <clark.fischer@gmail.com>
@andybalaam
Copy link
Member

Element's favicon also appears corrupted when privacy.resistFingerPrinting is true:

image

andybalaam added a commit to matrix-org/matrix-react-sdk that referenced this issue Jan 30, 2023
* Strict typechecking fixes for Base/Member/Avatar

Update the core avatar files to pass `--strict --noImplicitAny` typechecks.

Signed-off-by: Clark Fischer <clark.fischer@gmail.com>

* Add tests for Base/Member/Avatar

More thoroughly test the core avatar files. Not necessarily the most thorough,
but an improvement.

Signed-off-by: Clark Fischer <clark.fischer@gmail.com>

* Extract TextAvatar from BaseAvatar

Extracted the fallback/textual avatar into its own component.

Signed-off-by: Clark Fischer <clark.fischer@gmail.com>

* Use standard HTML for non-image avatars

Firefox users with `resistFingerprinting` enabled were seeing random noise
for rooms and users without avatars. There's no real reason to use data
URLs to present flat colors.

This converts non-image avatars to inline blocks with background colors.

See element-hq/element-web#23936

Signed-off-by: Clark Fischer <clark.fischer@gmail.com>

* Have pills use solid backgrounds rather than colored images

Similar to room and member avatars, pills now use colored pseudo-elements
rather than background images.

Signed-off-by: Clark Fischer <clark.fischer@gmail.com>

---------

Signed-off-by: Clark Fischer <clark.fischer@gmail.com>
Co-authored-by: Andy Balaam <andy.balaam@matrix.org>
@t3chguy
Copy link
Member

t3chguy commented Jan 30, 2023

Default avatars in notifications will also be corrupted

@karolyi
Copy link
Author

karolyi commented Dec 21, 2023

Okay, I had two days to investigate this issue further.

It seems that RFP mode in Firefox doesn't trigger the "do you want to allow canvas access" for OffscreenCanvas instances — no matter what the privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts config value is.

Whenever I use the document.createElement('canvas'), FF/Librewolf notifies me of the current page wanting to access canvas data (provided privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts is set to false), which then I can allow, and on the second paste, canvas.drawImage() draws the loaded image on the canvas properly, that can be extracted as a proper thumbnail.

As long as this is not fixed in Firefox (upstream from Librewolf), the off-screen-canvas thumbnail generation method won't work. Even worse, there is not an easy way of detecting if RFP is on, but juraj.maslar on the mozilla forums figured out a hacky way to do it:

https://discourse.mozilla.org/t/how-to-detect-privacy-resistfingerprinting/111798/3

Using this method, it would be possible to fall back to the 'old' canvas creation method that works with RFP, until Firefox unfucks this.

I'll attach a quick playground to test this, cobbled together from the (to me very messy) element code, and report the bug to Mozilla, if there isn't any reported yet.

test.tar.gz

Anyone want me to prepare a PR with a fix for this with the workaround linked above?

@karolyi
Copy link
Author

karolyi commented Dec 21, 2023

Update, it seems there is a bug filed on this behavior already:
https://bugzilla.mozilla.org/show_bug.cgi?id=1422862

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-Media O-Uncommon Most users are unlikely to come across this or unexpected workflow S-Minor Impairs non-critical functionality or suitable workarounds exist T-Defect X-Regression
Projects
None yet
Development

No branches or pull requests

5 participants