Hi Chris! Canvas is a very popular GPU fingerprinting vector and allowing it offscreen sounds like a more convenient way to perform such an attack on user privacy. Do you know if Blink or Gecko have elaborated on this? What is your assessment?
Given the cross-engine effort to fight device fingerprinting and WebKit and Gecko’s recently published tracking prevention policies, we should do a threat analysis of this feature. Regards, John > On Oct 10, 2019, at 4:24 AM, Chris Lord <cl...@igalia.com> wrote: > > Hi all, > > I've spent the last month or so 'finishing' the implementation of > OffscreenCanvas[1], based on Žan Doberšek's work from a year ago[2]. > OffscreenCanvas is an API for being able to use canvas drawing without a > visible canvas, and from within Workers. It's supported by Blink and has > partial support in Gecko. > > It's at the point now where I'd consider it a finished draft - it is > almost fully implemented and passes the majority of relevant tests in a > debug build without crashing, but has some areas that need completion on > other platforms (async drawing on non-Linux) and some missing parts (Web > Inspector, ImageBitmapRenderingContext). It almost certainly needs > reworking in places. > > My work is on GitHub[3] - I'd like to solicit reviews and comment. Some > of the bugs hanging off [2] have patches that need review and I think > are near ready to being landable as the foundation of this work. It is > broadly split up like so: > > - Refactor to move functionality from HTMLCanvasElement to CanvasBase > - Refactor to not unnecessarily require HTMLCanvasElement in places > - Implement OffscreenCanvas functionality > - Make font loading/styling usable from a Worker and without a Document > - Implement AnimationFrameProvider on DedicatedWorkerGlobalScope > - Implement asynchronous drawing updates on placeholder canvases > > I expect the font-related stuff to be the most contentious, and my > AnimationFrameProvider implementation may be too trivial (but might be > ok for a first go?) > > All feedback appreciated. Best regards, > > Chris > > [1] > https://html.spec.whatwg.org/multipage/canvas.html#the-offscreencanvas-interface > [2] https://bugs.webkit.org/show_bug.cgi?id=183720 > [3] https://github.com/Cwiiis/webkit/tree/offscreen-canvas > _______________________________________________ > webkit-dev mailing list > webkit-dev@lists.webkit.org > https://lists.webkit.org/mailman/listinfo/webkit-dev _______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
