For clarity, it’s already possible to render to a regular canvas offscreen. The <canvas> can be hidden using any of the techniques that can make any other canvas invisible. Name notwithstanding, OffscreenCanvas is mainly about being able to render from a Worker, not about enabling rendering offscreen.
Thus, I would not expect it to make it easier to invisibly fingerprint using canvas. > On Oct 10, 2019, at 9:32 AM, Chris Lord <cl...@igalia.com> wrote: > > Hi John, > > I don't know what the current state is of counter-measures for such an > attack, but I don't immediately imagine OffscreenCanvas would make them > more effective. The patch series doesn't add any new rendering paths, so > whatever was possible before will likely still be possible and whatever > wasn't will hopefully still not be possible. That said, I'll look into > this and discuss it with some people that will know better than me and > try to get a better picture. > > Thanks, > > Chris > > On 2019-10-10 17:32, John Wilander wrote: >> Hi Chris! >> >> Canvas is a very popular GPU fingerprinting vector and allowing it >> offscreen sounds like a more convenient way to perform such an attack >> on user privacy. Do you know if Blink or Gecko have elaborated on >> this? What is your assessment? >> >> Given the cross-engine effort to fight device fingerprinting and >> WebKit and Gecko’s recently published tracking prevention policies, we >> should do a threat analysis of this feature. >> >> Regards, John >> >>> On Oct 10, 2019, at 4:24 AM, Chris Lord <cl...@igalia.com> wrote: >>> >>> Hi all, >>> >>> I've spent the last month or so 'finishing' the implementation of >>> OffscreenCanvas[1], based on Žan Doberšek's work from a year ago[2]. >>> OffscreenCanvas is an API for being able to use canvas drawing without a >>> visible canvas, and from within Workers. It's supported by Blink and has >>> partial support in Gecko. >>> >>> It's at the point now where I'd consider it a finished draft - it is >>> almost fully implemented and passes the majority of relevant tests in a >>> debug build without crashing, but has some areas that need completion on >>> other platforms (async drawing on non-Linux) and some missing parts (Web >>> Inspector, ImageBitmapRenderingContext). It almost certainly needs >>> reworking in places. >>> >>> My work is on GitHub[3] - I'd like to solicit reviews and comment. Some >>> of the bugs hanging off [2] have patches that need review and I think >>> are near ready to being landable as the foundation of this work. It is >>> broadly split up like so: >>> >>> - Refactor to move functionality from HTMLCanvasElement to CanvasBase >>> - Refactor to not unnecessarily require HTMLCanvasElement in places >>> - Implement OffscreenCanvas functionality >>> - Make font loading/styling usable from a Worker and without a Document >>> - Implement AnimationFrameProvider on DedicatedWorkerGlobalScope >>> - Implement asynchronous drawing updates on placeholder canvases >>> >>> I expect the font-related stuff to be the most contentious, and my >>> AnimationFrameProvider implementation may be too trivial (but might be >>> ok for a first go?) >>> >>> All feedback appreciated. Best regards, >>> >>> Chris >>> >>> [1] >>> https://html.spec.whatwg.org/multipage/canvas.html#the-offscreencanvas-interface >>> [2] https://bugs.webkit.org/show_bug.cgi?id=183720 >>> [3] https://github.com/Cwiiis/webkit/tree/offscreen-canvas >>> _______________________________________________ >>> webkit-dev mailing list >>> webkit-dev@lists.webkit.org >>> https://lists.webkit.org/mailman/listinfo/webkit-dev > _______________________________________________ > webkit-dev mailing list > webkit-dev@lists.webkit.org > https://lists.webkit.org/mailman/listinfo/webkit-dev _______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
