Mozilla engineers have borrowed yet another feature from the Tor Browser and starting with version 58 Firefox will block attempts to fingerprint users using the HTML5 canvas element.

Canvas blocking is an important addition to Firefox's user privacy protection measures, as canvas fingerprinting has been used for a long time by the advertising industry to track users.

Canvas fingerprinting has become widespread in recent years

The method has become widespread in recent years after the EU has forced websites to show cookie popups. Because canvas fingerprinting doesn't need to store anything in the user's browser, there are very few legal complications that come with it and this user tracking/fingerprinting solution has become a favorite among ad networks.

Canvas fingerprinting works by loading a canvas HTML tag inside a hidden iframe and making the user's browser draw a series of elements and texts. The resulting image is converted into a file hash.

Because each computer and browser draws these elements differently, ad networks can reliably track the user's browser as he accesses various sites on the Internet. Canvas fingerprinting is described in better detail in this 2012 research paper.

Feature borrowed from the Tor Browser

The Tor Browser has fixed this problem by blocking any website from accessing canvas data by default. The Tor Browser displays the following popup every time a site wants to access the canvas element.

Tor Browser's canvas fingerprinting blocking system
Tor Browser's canvas fingerprinting blocking system

Based on an entry in the Mozilla bug tracker, engineers plan to prompt users with a site permission popup when a website wants to extract data from a < canvas > HTML element. This is similar to the permission shown when websites wish to access a user's webcam or microphone.

Firefox 58 is scheduled for release on January 16, 2018.

The second feature Firefox takes from the Tor Browser

Canvas fingerprinting blocking is the second feature Mozilla engineers have borrowed from the Tor Project. Previously, Mozilla has added a mechanism to Firefox 52 that prevents websites from fingerprinting users via system fonts.

Mozilla's efforts to harden Firefox are part of the Tor Uplift project, an initiative to import more privacy-focused feature from the Tor Browser into Firefox. The Tor Browser is based on Firefox ESR, and usually features flowed from Firefox to Tor, and not the other way around.

In August 2016, Mozilla also blocked a list of URLs known to host fingerprinting scripts. Previous efforts to improve Firefox user privacy also included removing the Battery Status API.