From f98bfacba864496b7601d9dce38208b73f2c7b5c Mon Sep 17 00:00:00 2001
From: Tom Ritter <tom@mozilla.com>
Date: Sat, 17 Feb 2018 13:53:05 -0600
Subject: [PATCH] Bug 1376865 Automatically decline the canvas permission if it
 is not in response to user input r=baku

The canvas prompt is extremely annoying. It happens everyone, automatically. And in
99.9% (not scientific) of cases it is not triggered by user input, but my automatic
tracking scripts.

This commit will automatically decline the canvas read if it was not triggered by
user input.

Just in case this breaks something irrepairably, we have a cutoff pref.

We don't intend to keep this pref forever, and have asked anyone who sets it to
tell us why.

MozReview-Commit-ID: CxNkuraRWpV

--HG--
extra : rebase_source : 12cfc94cecbd378c0859ae50066c6338bcaa6692
---
 dom/base/DOMPrefsInternal.h |  1 +
 dom/canvas/CanvasUtils.cpp  | 18 +++++++++++++++++-
 dom/ipc/ContentPrefs.cpp    |  1 +
 modules/libpref/init/all.js |  6 ++++++
 4 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/dom/base/DOMPrefsInternal.h b/dom/base/DOMPrefsInternal.h
index 94d6a1073141..c539e7f73c7a 100644
--- a/dom/base/DOMPrefsInternal.h
+++ b/dom/base/DOMPrefsInternal.h
@@ -38,6 +38,7 @@ DOM_PREF(WebkitBlinkDirectoryPickerEnabled, "dom.webkitBlink.dirPicker.enabled")
 DOM_PREF(NetworkInformationEnabled, "dom.netinfo.enabled")
 DOM_PREF(FetchObserverEnabled, "dom.fetchObserver.enabled")
 DOM_PREF(ResistFingerprintingEnabled, "privacy.resistFingerprinting")
+DOM_PREF(EnableAutoDeclineCanvasPrompts, "privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts")
 DOM_PREF(DevToolsEnabled, "devtools.enabled")
 DOM_PREF(PerformanceObserverEnabled, "dom.enable_performance_observer")
 
diff --git a/dom/canvas/CanvasUtils.cpp b/dom/canvas/CanvasUtils.cpp
index 0cadb9ac6974..0a8d7f0e2e59 100644
--- a/dom/canvas/CanvasUtils.cpp
+++ b/dom/canvas/CanvasUtils.cpp
@@ -13,6 +13,7 @@
 #include "nsIHTMLCollection.h"
 #include "mozilla/dom/HTMLCanvasElement.h"
 #include "mozilla/dom/TabChild.h"
+#include "mozilla/EventStateManager.h"
 #include "nsIPrincipal.h"
 
 #include "nsGfxCIID.h"
@@ -140,8 +141,23 @@ bool IsImageExtractionAllowed(nsIDocument *aDocument, JSContext *aCx)
     }
 
     // At this point, permission is unknown (nsIPermissionManager::UNKNOWN_ACTION).
+
+    // Check if the request is in response to user input
+    if (DOMPrefs::EnableAutoDeclineCanvasPrompts() && !EventStateManager::IsHandlingUserInput()) {
+        nsAutoCString message;
+        message.AppendPrintf("Blocked %s in page %s from extracting canvas data because no user input was detected.",
+                             docURISpec.get(), topLevelDocURISpec.get());
+        if (isScriptKnown) {
+            message.AppendPrintf(" %s:%u.", scriptFile.get(), scriptLine);
+        }
+        nsContentUtils::LogMessageToConsole(message.get());
+
+        return false;
+    }
+
+    // It was in response to user input, so log and display the prompt.
     nsAutoCString message;
-    message.AppendPrintf("Blocked %s in page %s from extracting canvas data.",
+    message.AppendPrintf("Blocked %s in page %s from extracting canvas data, but prompting the user.",
                          docURISpec.get(), topLevelDocURISpec.get());
     if (isScriptKnown) {
         message.AppendPrintf(" %s:%u.", scriptFile.get(), scriptLine);
diff --git a/dom/ipc/ContentPrefs.cpp b/dom/ipc/ContentPrefs.cpp
index 996bff9eac02..b44eac080ed2 100644
--- a/dom/ipc/ContentPrefs.cpp
+++ b/dom/ipc/ContentPrefs.cpp
@@ -292,6 +292,7 @@ const char* mozilla::dom::ContentPrefs::gEarlyPrefs[] = {
   "privacy.firstparty.isolate.restrict_opener_access",
   "privacy.reduceTimerPrecision",
   "privacy.resistFingerprinting",
+  "privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts",
   "privacy.resistFingerprinting.reduceTimerPrecision.microseconds",
   "privacy.resistFingerprinting.target_video_res",
   "privacy.resistFingerprinting.video_dropped_ratio",
diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
index 21edf6e72e78..71ccf067409b 100644
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -1413,6 +1413,12 @@ pref("privacy.firstparty.isolate",                        false);
 pref("privacy.firstparty.isolate.restrict_opener_access", true);
 // Anti-fingerprinting, disabled by default
 pref("privacy.resistFingerprinting", false);
+// We automatically decline canvas permission requests if they are not initiated
+// from user input. Just in case that breaks something, we allow the user to revert
+// this behaior with this obscure pref. We do not intend to support this long term.
+// If you do set it, to work around some broken website, please file a bug with
+// information so we can understand why it is needed.
+pref("privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts", true);
 // A subset of Resist Fingerprinting protections focused specifically on timers for testing
 // This affects the Animation API, the performance APIs, Date.getTime, Event.timestamp,
 //   File.lastModified, audioContext.currentTime, canvas.captureStream.currentTime