WordPress.org

Ideas

Prevent WordPress websites from performing HTML5 canvas fingerprinting

  1. nzflagmaven
    Member

    12345

    By default, WordPress-based websites apparently attempt to extract HTML5 canvas image data, which may be used to uniquely identify visitors' computers, assuming that Tor browser warnings are correct. For the benefit of WordPress-based website owners who truly respect the privacy and anonymity of their visitors, how about making an 'off' switch for canvas fingerprinting? Just because the European Union General Data Privacy Regulation (GDPR) has thus far overlooked this privacy issue is no reason to perpetuate the problem in WordPress-based websites.

    Posted: 5 months ago #
  2. Ipstenu (Mika Epstein)
    Administrator

    Isn't that just how HTML works? That is, it's not WP doing anything special here.

    Posted: 5 months ago #
  3. nzflagmaven
    Member

    12345

    If your dismissive statements were accurate, an error message would be returned for every website visited using Tor browser. Rather than rubbishing the suggestion out-of-hand, perhaps you could invest in a modicum of research on 'canvas fingerprinting'. You might also enter the URLs of a few WordPress-built websites into the security scanner at webcookies.org.

    Posted: 5 months ago #
  4. h1komma
    Member

    12345

    Since update 4.2 WordPrerss has a JavaScript implemented automatically in the Header for recognizing emoji-abilities of each users browser.

    Two possibilities that might stop that:

    1. WordPress -> Design -> Editor :
    edit filde "functions.php" and add 2 lines:

    remove_action( 'wp_head', 'print_emoji_detection_script', 7 );
    remove_action( 'wp_print_styles', 'print_emoji_styles' );

    2. Install WordPress-Plugin "disable-emojis"

    Did the job for me.

    Posted: 5 months ago #
  5. Ipstenu (Mika Epstein)
    Administrator

    I wasn't being dismissive, I was asking since it's not my area of expertise :) You can't expect everyone to know everything.

    If WP is doing something 'extra' beyond what normal HTML does to cause this, then yes, that's an issue. This is the ideas section, so we discuss ideas and what they mean and why they're important. Cooperatively.

    Thank you, h1komma, for highlighting what's going on here.

    So the emoji code is causing HTML5 canvas image data to be automatically extracted.

    Besides disabling it, would it be possible to maybe limit that code to only handle the emojis?

    Also is there a risk that non-admins/editors would be able to inert an HTML5 canvas? That is, can anyone leaving a comment do it, or only people who can write/edit posts? That would limit the impact greatly.

    Basically, how would someone implement this on a WP site? What actually is the risk? If it's just 'an admin who doesn't know better can hurt themselves' then that's one level of security. If it's that any visitor can implement this, then it's a bigger one and we're off to Hacker One :)

    Semi-related trac ticket (which I found via a quick google)

    https://core.trac.wordpress.org/ticket/32138

    Posted: 5 months ago #
  6. nzflagmaven
    Member

    12345

    Adding the line

    remove_action( 'wp_head', 'print_emoji_detection_script', 7 );

    to the formating.php file in the wp-includes directory is a solution, but it is one that must be reapplied after each WordPress core update, and it is not one that is available to less savvy users who cannot or who will not edit their server files.

    Torproject.org documentation states: "After plugins and plugin-provided information, we believe that the HTML5 Canvas is the single largest fingerprinting threat browsers face today."

    If extracting HTML5 image data from website visitors is not determined to be useful to the WordPress core or to certain WP plugins, that feature should be removed from future core updates.

    However, even if this breed of 'canvas fingerprinting' is useful for some WordPress users, it cannot be useful for the majority of them, and because it represents a potential privacy issue for WordPress website visitors, WordPress settings should include an 'off' switch, meaning a tick box with which it can be permanently disabled, probably by default.

    Interested parties who may still fail to grasp the significance of this issue should visit any of a number of prominent WordPress-built websites using Tor Browser, so that they can see the canvas fingerprinting warning for themselves. Such websites include https://techcrunch.com/, http://www.bbcamerica.com/, http://variety.com/, https://news.microsoft.com/, https://www.thewaltdisneycompany.com/, https://en.support.wordpress.com/, and countless others.

    At the very least pay a visit to the now three-year-old trac ticket helpfully provided above by Mika, which includes an image of the Tor Browser warning. On the eve of WordPress Gutenberg, and with the EU GDPR spotlighting Web privacy as never before, three years is an absurd length of time for an egregious WordPress privacy issue to have gone completely unaddressed.

    Posted: 5 months ago #
  7. h1komma
    Member

    12345

    Hi Ms. Epstein, now that your status has changed to Administrator, I am astonished about your posts and contributions to this serious issue. And I also found your first comment very strange.
    If it is not your area of expertise to answer the user's question, why bother? And now this second comment? What for? It just seems to distract and create confusion on the topic.

    I can only emphasize the seriousness of nzflagmaven's concerns.

    Canvas fingerprinting and its tracking abilities without cookies is alarming! It is not new at all and it IS a topic we should all get familiar with. WordPress definitely MUST check its policy towards these default-preference.

    ps: why not stop "googling" and start using alternative search engines?
    ___________________________

    nzflagmaven, you are absolutely right. The solution I offered was only one I figured out, when I checked my own WordPress-sites and found out that I could no longer garantee my visitors "privacy" in spite the fact I didn't use any cookies.

    I fear that EU GDPR in fact doesn't aim at web-privacy, as it doesn't affect the big intelligence-serving companies (and non EU-based) companies like google or facebook. It may just be another distraction to create the illusion of privacy.

    The fact that WordPress implements canvas-figerprinting by default and hasn't been doing anything about it, is dubious, to say the least.

    Posted: 5 months ago #
  8. Ipstenu (Mika Epstein)
    Administrator

    tl;dr here - I'm actually trying to make sure I send y'all to the right place to report this. Which would be that trac ticket - https://core.trac.wordpress.org/ticket/32138

    PLEASE add these concerns there! That will get the right attention. Also I recommend coming to the Slack meetings on Wednesday.

    Our core development meeting is every Wednesday at 20:00 UTC in the #core channel on Slack. - https://make.wordpress.org/chat/

    Longer answer:

    You're both laboring under a misunderstanding of what the IDEAS forum is for. It's literally for people to pitch ideas of things they feel would make WP better. And as an administrator, I'm here to help clean up spam and to direct questions like this to the most appropriate place.

    I'm not expected to be an expert in all things, I'm expected to have moderate to good communication skills and be able to understand full explanations. Which I do.

    There are hundreds of people involved in WP, we all segment out into our sections and areas of expertise. This is not weird or abnormal :)

    If it is not your area of expertise to answer the user's question, why bother? And now this second comment? What for? It just seems to distract and create confusion on the topic.

    I'm not answering, nor attempting to. I was actually asking MORE questions to better understand the root of the issue and be able to help direct both of you to the right place to file this concern. Ideas, sadly, being the incorrect location.

    There's no automated funnel from ideas to trac (wish there was). Which means I volunteer to keep an eye on things here, figure out what the real issue is, and help people on their way to the right place.

    Which is trac in this case. That 3 year old ticket (yes, I know) would be the BEST place to bring this up again, as that is where those people who ARE experts in this area reside.

    Posted: 5 months ago #

RSS feed for this topic

Topic Closed

This topic has been closed to new replies.

  • Rating

    12345
    2 Votes
  • Status

    Sorry, not right now