Connect with us

Hi, what are you looking for?



Firefox to Block Canvas-based Browser Fingerprinting

Firefox will soon provide users with increased privacy by blocking browser fingerprinting performed through the HTML5 canvas element.

Firefox will soon provide users with increased privacy by blocking browser fingerprinting performed through the HTML5 canvas element.

With the release of Firefox 58, users will have the option to block websites’ requests to retrieve information through canvas, which is currently used as a cookie-less method of tracking users on the web. Websites using this technique extract data from HTML <canvas> elements silently.

As soon as the change will be in effect, Firefox will behave similarly with the Tor Browser, which is based on Firefox ESR (Extended Support Release). Tor implemented the feature about four years ago.

According to discussion on the Mozilla bug tracker, Firefox 58 should display a popup when accessing a website that attempts to use an HTML < canvas > element to extract information, just like Tor does in such situations. Users will have the option to block the site’s request.

As Sophos notes, many companies are using browser fingerprinting as means to track users online without providing them with a choice. The technique involves tracking the browser itself rather than cookies or other beacons, which can be blocked or deleted.

The fingerprinting operation usually involves passively gathering information such as browser version number, operating system details, screen resolution, language, installed plugins and fonts, and the like. The more elements are used for fingerprinting, the easier it is to single out one’s browser from another user’s, the security firm points out.

“In canvas fingerprinting your browser is given instructions to render something (perhaps a combination of words and pictures) on a hidden canvas element. The resulting image is extracted from the canvas and passed through a hashing function, producing an ID,” Sophos explains.

Advertisement. Scroll to continue reading.

By providing complex instructions, one can produce enough variation between visitors to ensure canvas fingerprinting is highly efficient. The information gathered this way can be shared among advertising partners and used for the profiling of users based on the affiliated websites they visit.

While Firefox will become the first major browser to take a stance against canvas-based fingerprinting, add-ons that allow users to block this activity already exist, such as Electronic Frontier Foundation’s Privacy Badger.

Related: Firefox 57 to Get New XSS Protections

Related: Firefox Makes Adobe Flash Click-to-Activate by Default

Related: Mozilla to Completely Ban WoSign, StartCom Certificates in Firefox 58

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...


The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...