'Re: [webkit-dev] Implementing OffscreenCanvas'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       webkit-dev
Subject:    Re: [webkit-dev] Implementing OffscreenCanvas
From:       Maciej Stachowiak <mjs () apple ! com>
Date:       2019-10-10 16:42:06
Message-ID: 3CD5DF0F-F3D2-4E78-B383-754633AC9E30 () apple ! com
[Download RAW message or body]

For clarity, it's already possible to render to a regular canvas offscreen. The \
<canvas> can be hidden using any of the techniques that can make any other canvas \
invisible. Name notwithstanding, OffscreenCanvas is mainly about being able to render \
from a Worker, not about enabling rendering offscreen.

Thus, I would not expect it to make it easier to invisibly fingerprint using canvas.

> On Oct 10, 2019, at 9:32 AM, Chris Lord <clord@igalia.com> wrote:
> 
> Hi John,
> 
> I don't know what the current state is of counter-measures for such an
> attack, but I don't immediately imagine OffscreenCanvas would make them
> more effective. The patch series doesn't add any new rendering paths, so
> whatever was possible before will likely still be possible and whatever
> wasn't will hopefully still not be possible. That said, I'll look into
> this and discuss it with some people that will know better than me and
> try to get a better picture.
> 
> Thanks,
> 
> Chris
> 
> On 2019-10-10 17:32, John Wilander wrote:
> > Hi Chris!
> > 
> > Canvas is a very popular GPU fingerprinting vector and allowing it
> > offscreen sounds like a more convenient way to perform such an attack
> > on user privacy. Do you know if Blink or Gecko have elaborated on
> > this? What is your assessment?
> > 
> > Given the cross-engine effort to fight device fingerprinting and
> > WebKit and Gecko's recently published tracking prevention policies, we
> > should do a threat analysis of this feature.
> > 
> > Regards, John
> > 
> > > On Oct 10, 2019, at 4:24 AM, Chris Lord <clord@igalia.com> wrote:
> > > 
> > > Hi all,
> > > 
> > > I've spent the last month or so 'finishing' the implementation of
> > > OffscreenCanvas[1], based on Žan Doberšek's work from a year ago[2].
> > > OffscreenCanvas is an API for being able to use canvas drawing without a
> > > visible canvas, and from within Workers. It's supported by Blink and has
> > > partial support in Gecko.
> > > 
> > > It's at the point now where I'd consider it a finished draft - it is
> > > almost fully implemented and passes the majority of relevant tests in a
> > > debug build without crashing, but has some areas that need completion on
> > > other platforms (async drawing on non-Linux) and some missing parts (Web
> > > Inspector, ImageBitmapRenderingContext). It almost certainly needs
> > > reworking in places.
> > > 
> > > My work is on GitHub[3] - I'd like to solicit reviews and comment. Some
> > > of the bugs hanging off [2] have patches that need review and I think
> > > are near ready to being landable as the foundation of this work. It is
> > > broadly split up like so:
> > > 
> > > - Refactor to move functionality from HTMLCanvasElement to CanvasBase
> > > - Refactor to not unnecessarily require HTMLCanvasElement in places
> > > - Implement OffscreenCanvas functionality
> > > - Make font loading/styling usable from a Worker and without a Document
> > > - Implement AnimationFrameProvider on DedicatedWorkerGlobalScope
> > > - Implement asynchronous drawing updates on placeholder canvases
> > > 
> > > I expect the font-related stuff to be the most contentious, and my
> > > AnimationFrameProvider implementation may be too trivial (but might be
> > > ok for a first go?)
> > > 
> > > All feedback appreciated. Best regards,
> > > 
> > > Chris
> > > 
> > > [1]
> > > https://html.spec.whatwg.org/multipage/canvas.html#the-offscreencanvas-interface
> > >  [2] https://bugs.webkit.org/show_bug.cgi?id=183720
> > > [3] https://github.com/Cwiiis/webkit/tree/offscreen-canvas
> > > _______________________________________________
> > > webkit-dev mailing list
> > > webkit-dev@lists.webkit.org
> > > https://lists.webkit.org/mailman/listinfo/webkit-dev
> _______________________________________________
> webkit-dev mailing list
> webkit-dev@lists.webkit.org
> https://lists.webkit.org/mailman/listinfo/webkit-dev

_______________________________________________
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

[prev in list] [next in list] [prev in thread] [next in thread] 