Restore canvas fingerprinting detection on Firefox

[cowlicks]

I also changed this so it would be injected with a script tag. Otherwise it was violating some sites CSP on Firefox.

Test it out on http://www.gettvstreamnow.com/

If that goes down try other sites from https://publicwww.com/websites/%22fingerprint2.min.js%22/

Closes #1158.

[ghostwords]

Could you rebase out the refactor? There are reasons for injecting the script the way it's injected now: ghostwords/chameleon@18b5771. If there are problems with this method, let's open a new issue to investigate.

[ghostwords]

Could you specify the tickets being closed in the description of the issue instead of the subject? Even if it works in the subject, it's less usable (can't click on it, makes the subject harder to read).

Edit: It may not actually work either ... I don't see issue 1158 get updated with a link back to here.

[cowlicks]

@ghostwords done

[ghostwords]

Have you seen my comments regarding reviewing our original implementation in Privacy Badger for Firefox, and OpenWPM's implementation (based on ours but updated since)?

[ghostwords]

This needs a suite of unit tests for verifying extracting the script origin from the stack trace. For example, see openwpm/OpenWPM@3276219.

Edit: Oops, that's not a unit test in the linked commit, that's a Selenium-powered functional test.

[ghostwords]

To clarify my request to review our previous Firefox implementation, and OpenWPM's implementation: I think it makes more sense to start with road-tested code, instead of writing a new implementation from scratch.

[ghostwords]

The current Chrome stack trace API-based approach has some issues in Chrome (ghostwords/chameleon@ece9f43), but that's OK, we can document them via unit tests.

[ghostwords]

Finally, we should follow up this work with adding a functional test for canvas fingerprinting detection: #1268.

[cowlicks]

There is no simple way of adding unittests for this since the function is contained in a string that gets injected. I could write some readily if the code was injected in a script tag. This would also avoid the need for more elaborate functional tests. You might recall this was the same issue that we had with twitter t.co pull request. Also there are no pre-existing unittests.

FWIW pbtest.org already includes a test for canvas fingerpinting. This passes that test.

I tested this manually, and compared results. It has worked great so far.

I looked at the other implementations, I didn't see anything obvious worth using. They are collecting a lot more information, so their code is a lot more complex.

There might be an issue when the stack trace is too short. I'll check for that and get back to you.

[ghostwords]

Instead of unit tests, we could also make a number of HTML page fixtures sourcing a canvas fingerprinting script in a bunch of different ways (which we would get from real life canvas fingerprinting examples, should be able to get a few from OpenWPM studies and other research, I have some bookmarked), and test that we detect canvas fingerprinting successfully from each of them.

By "sourcing in different ways", I mean via a plain script tag, via eval (jQuery-loaded example of a font enumeration script here, I recall; we should fail this one with production code now), ... This will satisfy testing for different kinds of stack traces in particular, and testing for canvas fingerprinting working correctly in general. We don't have to come up with every possible way scripts get injected now, just a couple to start with.

This is indeed similar to testing t.co unwrapping (#1392) since we are dealing with content scripts interacting with Web pages. Unit tests might just be a poor fit for verifying this sort of complex interactions.

[ghostwords]

Replaced by #1678.