Canvas Fingerprinting
The Canvas API, which is designed for drawing graphics via JavaScript and HTML, can also be used for online tracking via browser fingerprinting. This technique relies on variations in how canvas images are rendered on different web browsers and platforms to create a personalized digital fingerprint of a user's browser.
Canvas Support in Your Browser | ||||
| Canvas (basic support) | ? | |||
| Text API for Canvas | ? | |||
| Canvas toDataURL | ? | |||
Canvas Fingerprint | ||||
| Signature | n/a | |||
| Uniqueness | ||||
Image File Details | ||||
| File Size | ||||
| Number of Colors | ||||
| PNG Hash | ||||
| PNG Headers | Chunk | Length | CRC | Content |
Browser Statistics | |||||
| Looking at your signature, it's very likely that your web browser is Web Browser and your operating system is Operating System. | |||||
How Canvas Fingerprinting Works
The way an image is rendered on a canvas can vary based on the web browser, operating system, graphics card, and other factors, resulting in a unique image that can be used to create a fingerprint. The way that text is rendered on a canvas can also vary based on the font rendering settings and anti-aliasing algorithms used by different web browsers and operating systems.
This small animated GIF illustrates the variability of canvas images among 35 different users. Although the JavaScript code remains the same, each frame is distinct due to differences in how the images are rendered on different systems:
Here is the JavaScript code that creates our image:
- // Text with lowercase/uppercase/punctuation symbols
- var txt = "BrowserLeaks,com <canvas> 1.0";
- ctx.textBaseline = "top";
- // The most common type
- ctx.font = "14px 'Arial'";
- ctx.textBaseline = "alphabetic";
- ctx.fillStyle = "#f60";
- ctx.fillRect(125,1,62,20);
- // Some tricks for color mixing to increase the difference in rendering
- ctx.fillStyle = "#069";
- ctx.fillText(txt, 2, 15);
- ctx.fillStyle = "rgba(102, 204, 0, 0.7)";
- ctx.fillText(txt, 4, 17);
To generate a signature from the canvas, we need to extract the pixels from the application's memory by calling the toDataURL() function. This function returns a base64-encoded string representing the binary image file. We can then compute an MD5 hash of this string to obtain the canvas fingerprint. Alternatively, we could extract the CRC checksum from the IDAT chunk, which is located 16 to 12 bytes from the end of every PNG file, and use it as our canvas fingerprint.
Further Reading
- How to Detect Font-Smoothing Using JavaScript
The first article about the difference in rendering pixels. Not about fingerprinting, but just after this article it became clear to us that something similar can be done.
- Pixel Perfect: Fingerprinting Canvas in HTML5
A well-known study, after which the topic has become known to the public.
- Fingerprintjs2
GitHub project that uses original our original code for their canvas fingerprinting function (huh, so many people have asked for proof).
- The Web never forgets: Persistent tracking mechanisms in the wild
And now it is used by thousands of sites...
- CanvasBlocker
Firefox add-on that changes the JS-API for modifying <canvas> to prevent Canvas Fingerprinting.
- Canvas Fingerprinting – Wikipedia
- HTML5 Canvas – MDN
- Compatibility tables for support of Canvas & WebGL in desktop and mobile browsers – Can I Use