Firefox to Block User Tracking via HTML5 Canvas

Mozilla developers have decided to bring one of Tor Browser’s security features to Firefox. Starting with version 58, Firefox will block user tracking through HTML5 Canvas elements.

Tracking via Canvas has become quite popular in recent years, especially after European website operators were required to display cookie usage warnings to users. Since Canvas tracking does not store anything in the user’s browser, it is much harder to counter.

This type of tracking works very simply. A hidden iframe is added to the page containing a Canvas HTML tag, prompting the user’s browser to render a series of elements and text. The resulting image is then converted into a hash. Because each computer and browser renders the element slightly differently, advertising networks have long used this method for fingerprinting. You can read more about this in a 2012 report (PDF).

Tor Browser addressed this issue long ago by simply blocking Canvas data for all sites. If a website requests access to Canvas, the user is shown a dialog box where they can allow or deny the operation.

Now, according to the Mozilla bug tracker, a similar mechanism will appear in Firefox 58, which is scheduled for release in January 2018. If a site wants to extract data from an HTML <canvas> element, the user will need to grant permission, just like when a site requests access to the microphone or camera.