Bug 1376865 Automatically decline the canvas permission if it is not in response to user input r=baku

The canvas prompt is extremely annoying. It happens everyone, automatically. And in 99.9% (not scientific) of cases it is not triggered by user input, but my automatic tracking scripts. This commit will automatically decline the canvas read if it was not triggered by user input. Just in case this breaks something irrepairably, we have a cutoff pref. We don't intend to keep this pref forever, and have asked anyone who sets it to tell us why. MozReview-Commit-ID: CxNkuraRWpV --HG-- extra : rebase_source : 12cfc94cecbd378c0859ae50066c6338bcaa6692
2018-02-17 13:53:05 -06:00 · 2018-02-17 13:53:05 -06:00 · f98bfacba8
--- a/dom/base/DOMPrefsInternal.h
+++ b/dom/base/DOMPrefsInternal.h
@ -38,6 +38,7 @@ DOM_PREF(WebkitBlinkDirectoryPickerEnabled, "dom.webkitBlink.dirPicker.enabled")
 DOM_PREF(NetworkInformationEnabled, "dom.netinfo.enabled")
 DOM_PREF(FetchObserverEnabled, "dom.fetchObserver.enabled")
 DOM_PREF(ResistFingerprintingEnabled, "privacy.resistFingerprinting")
+DOM_PREF(EnableAutoDeclineCanvasPrompts, "privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts")
 DOM_PREF(DevToolsEnabled, "devtools.enabled")
 DOM_PREF(PerformanceObserverEnabled, "dom.enable_performance_observer")

--- a/dom/canvas/CanvasUtils.cpp
+++ b/dom/canvas/CanvasUtils.cpp
@ -13,6 +13,7 @@
 #include "nsIHTMLCollection.h"
 #include "mozilla/dom/HTMLCanvasElement.h"
 #include "mozilla/dom/TabChild.h"
+#include "mozilla/EventStateManager.h"
 #include "nsIPrincipal.h"

 #include "nsGfxCIID.h"
@ -140,8 +141,23 @@ bool IsImageExtractionAllowed(nsIDocument *aDocument, JSContext *aCx)
    }

    // At this point, permission is unknown (nsIPermissionManager::UNKNOWN_ACTION).
+
+    // Check if the request is in response to user input
+    if (DOMPrefs::EnableAutoDeclineCanvasPrompts() && !EventStateManager::IsHandlingUserInput()) {
+        nsAutoCString message;
+        message.AppendPrintf("Blocked %s in page %s from extracting canvas data because no user input was detected.",
+                             docURISpec.get(), topLevelDocURISpec.get());
+        if (isScriptKnown) {
+            message.AppendPrintf(" %s:%u.", scriptFile.get(), scriptLine);
+        }
+        nsContentUtils::LogMessageToConsole(message.get());
+
+        return false;
+    }
+
+    // It was in response to user input, so log and display the prompt.
    nsAutoCString message;
-    message.AppendPrintf("Blocked %s in page %s from extracting canvas data.",
+    message.AppendPrintf("Blocked %s in page %s from extracting canvas data, but prompting the user.",
                         docURISpec.get(), topLevelDocURISpec.get());
    if (isScriptKnown) {
        message.AppendPrintf(" %s:%u.", scriptFile.get(), scriptLine);
--- a/dom/ipc/ContentPrefs.cpp
+++ b/dom/ipc/ContentPrefs.cpp
@ -292,6 +292,7 @@ const char* mozilla::dom::ContentPrefs::gEarlyPrefs[] = {
  "privacy.firstparty.isolate.restrict_opener_access",
  "privacy.reduceTimerPrecision",
  "privacy.resistFingerprinting",
+  "privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts",
  "privacy.resistFingerprinting.reduceTimerPrecision.microseconds",
  "privacy.resistFingerprinting.target_video_res",
  "privacy.resistFingerprinting.video_dropped_ratio",
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@ -1413,6 +1413,12 @@ pref("privacy.firstparty.isolate",                        false);
 pref("privacy.firstparty.isolate.restrict_opener_access", true);
 // Anti-fingerprinting, disabled by default
 pref("privacy.resistFingerprinting", false);
+// We automatically decline canvas permission requests if they are not initiated
+// from user input. Just in case that breaks something, we allow the user to revert
+// this behaior with this obscure pref. We do not intend to support this long term.
+// If you do set it, to work around some broken website, please file a bug with
+// information so we can understand why it is needed.
+pref("privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts", true);
 // A subset of Resist Fingerprinting protections focused specifically on timers for testing
 // This affects the Animation API, the performance APIs, Date.getTime, Event.timestamp,
 //   File.lastModified, audioContext.currentTime, canvas.captureStream.currentTime