Skip to content
This repository has been archived by the owner on Dec 11, 2019. It is now read-only.

add CanvasRenderingContext2D.prototype.isPointInPath and 4 other meth… #11140

Merged
merged 1 commit into from
Sep 26, 2017
Merged

add CanvasRenderingContext2D.prototype.isPointInPath and 4 other meth… #11140

merged 1 commit into from
Sep 26, 2017

Conversation

pes10k
Copy link
Contributor

@pes10k pes10k commented Sep 25, 2017

Fixes #10288

This change would block the following 5 methods (presented below, with brief motivation for each). Numbers for feature use / tracking use are taken from https://www.cs.uic.edu/%7Epsnyder/static/papers/Browser_Feature_Usage_on_the_Modern_Web.pdf

I've added a link to this paper in the FP part of the wiki, along with a description of the SVG related methods. I did not further discuss the canvas and WebGL related methods, since they're already mentioned.

CanvasRenderingContext2D.prototype.isPointInPath

  • Is used in popular live, popular fingerprinting code
  • Is infrequently used on the web (was observed on only 166 sites in the Alexa 10k)
  • Is frequently blocked by anti-tracking tools (in the presence of Ghostery, it is only seen on 28 sites in the Alexa 10k, suggesting its used for tracking 83% of the time)

WebGLRenderingContext.prototype.getUniformLocation and WebGLRenderingContext.prototype.getAttribLocation

  • Are used in popular live, popular fingerprinting code, (here and here, for example)
  • Are infrequently used on the web (was observed on only 255 and 250 sites in the Alexa 10k, respectivly)
  • Are frequently blocked by anti-tracking tools (in the presence of Ghostery, it is only seen on 44 and sites in the Alexa 10k, suggesting its used for tracking 82.75% and 82.4% of the time)
  • Non-obvious use case (e.x.: its not obvious to see why you'd need to query these parameters out of the context, if you'd already set them)

SVGPathElement.prototype.getTotalLength

  • Anecdotally Used in ways similar to canvas finger printing (font enumeration, getting subtle differences in rendering between platforms)
  • Very infrequently used on the web (observed on 140 of the Alexa 10k)
  • Very frequently associated with tracking (use goes down to only 2 sites, or a 98.57% reduction, in the presence of Ghostery)

SVGTextContentElement.prototype.getComputedTextLength

  • Anecdotally Used in ways similar to canvas finger printing (font enumeration, getting subtle differences in rendering between platforms)
  • Extremely associated with tracking (use goes from 1003 sites in the Alexa 10k, to 1, or a 99.9% reduction, in the presence of Ghostery)
@codecov-io
Copy link

codecov-io commented Sep 25, 2017
edited
Loading

Codecov Report

Merging #11140 into master will decrease coverage by 0.04%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master   #11140      +/-   ##
==========================================
- Coverage   53.46%   53.41%   -0.05%     
==========================================
  Files         251      251              
  Lines       21771    21771              
  Branches     3407     3407              
==========================================
- Hits        11639    11630       -9     
- Misses      10132    10141       +9
Flag Coverage Δ
#unittest 53.41% <ø> (-0.05%) ⬇️
Impacted Files Coverage Δ
js/stores/appStoreRenderer.js 91.17% <0%> (-8.83%) ⬇️
app/renderer/components/reduxComponent.js 84.37% <0%> (-6.25%) ⬇️
js/stores/windowStore.js 27.45% <0%> (-0.31%) ⬇️
@diracdeltas diracdeltas self-requested a review September 26, 2017 01:34
@diracdeltas diracdeltas added this to the 0.21.x (Nightly Channel) milestone Sep 26, 2017
diracdeltas
diracdeltas approved these changes Sep 26, 2017
View reviewed changes
Copy link
Member

@diracdeltas diracdeltas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm! the proxy fingerprinting and device enumeration tests are failing but they also fail on master
@diracdeltas diracdeltas merged commit f49c1a6 into brave:master Sep 26, 2017
@luixxiul
Copy link
Contributor

do we need QA on this?
@luixxiul luixxiul added the needs-info Another team member needs information from the PR/issue opener. label Sep 26, 2017
@diracdeltas
Copy link
Member

do we need QA on this?

unless @snyderp has example sites that use these methods, nope
@bsclifton bsclifton added QA/no-qa-needed release-notes/include and removed needs-info Another team member needs information from the PR/issue opener. labels Sep 26, 2017
@bbondy bbondy modified the milestones: 0.21.x (Developer Channel), 0.20.x (Beta Channel) Oct 25, 2017
@luixxiul luixxiul mentioned this pull request Oct 30, 2017
Closed
@diracdeltas
Copy link
Member

i'm going to lift this into 0.19.x hotfix 6 because it's unlikely to break anything and also it solves merge conflict with #11784
@diracdeltas diracdeltas modified the milestones: 0.20.x (Beta Channel), 0.19.x Hotfix 6 (Release channel) Nov 20, 2017
diracdeltas added a commit that referenced this pull request Nov 20, 2017
@diracdeltas
Merge pull request #11140 from snyderp/10288-block-more-fp-methods
14ef118 
add CanvasRenderingContext2D.prototype.isPointInPath and 4 other meth…
@diracdeltas
Copy link
Member

0.19.x: 14ef118
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
feature/shields QA/no-qa-needed
8 participants
@pes10k @codecov-io @luixxiul @diracdeltas @bbondy @kjozwiak @bsclifton @psnyde2