Choose: Simple Style

Canvas Fingerprinting

║▌║▌│█║▌║│█│█║

/Tracking/Fingerprinting/active/canvas/

  • $ fingerprint@info:~ echo $CANVAS
  • Name:

    Canvas Fingerprinting

    Original feature purpose:

    The Canvas API provides a means for drawing graphics via JavaScript and the HTML <canvas> element. Among other things, it can be used for animation, game graphics, data visualization, photo manipulation, and real-time video processing. For more details see, e.g., MDN web docs


    FP-Explanation:

    The Canvas element draws an image with text defined by the JavaScript fingerprinting code, and resulting binary pixel data (Base64 encoded) is extracted and hashed. This hash of the Canvas image serves as fingerprint, which varies among clients due to differences in the rendering process caused by operating system, browser, rendering engine, GPU or graphics driver. The Canvas API allows arbitrary fonts, colors and geometries. To increase fingerprinting diversity, the complete ASCII-Set with various fonts and colors is used for text drawing. If a specific font is not installed or accessible on the client's browser, a fallback font is provided.
    The images drawn by Canvas elements from different system environments usually look different. But, even if no differences can be seen by eye in two canvas rendered images (with the same JavaScript code), it is possible for the images to still differ slightly, because they may not be pixel-identical.
    For fingerprinting purposes, it is only important that there are differences and thus derived fingerprints are distinguishable.

    Instead of creating an image with JavaScript, an existing image can be read into the Canvas element. The resulting hash of the rendered Canvas image also varies among rendering engines and browser.

    Canvas fingerprinting, which should be consistent, is done with one fake font. Canvas fingerprinting, with the goal of a higher diversity, is done with multiple fonts, but the fingerprint can change if the target system updates its font support.


    FP-Type:

    active

    FP-Categories:

    js, html5, hardware-dependent, software-dependent, consistent

    Counter-measures:

    Canvas elements can only be blocked on browser-level - either by a browser-specific Canvas-Blocker Addon or by browser vendor features.

    • From Firefox 58: Canvas data extraction needs user permission or is automatically spoofed
      Explanation: A website cannot use Canvas elements for fingerprinting any more
      Explanation: (blocked or spoofed Canvas API)
      Info: Only works if the setting 'privacy.resitFingerprinting' is set to 'true'

    Publications/References:


  • $ fingerprint@info:~ run canvas-demo
  • Demo:

    >> Jump to Canvas Fingerprinting Demo <<


Copied link!

Copy the link above, close the browser and visit this site again to check your Canvas Fingerprints.
Click on the trash icon in the info box to clear your tracking stats for this demonstration.

If this is your first visit, but the info box says you already visited this website x times,
then someone else has generated the same Canvas fingerprint which your browser did.


Canvas Fingerprinting: Results

Website visits: Test is running...
Your last visit: Test is running...
Your canvas Fingerprint: Test is running...
Your image Fingerprint: Test is running...


Clear stats Refresh page.




Canvas rendered by other clients - output of the exact same JavaScript code:

Canvas FP Collection


Your Canvas Fingerprint () was derived from test image data generated by your browser.
Your browser rendered this Canvas:









Base64 data from the image below was extracted:


Test Image
Test image provided by testimages.org under CC BY-NC-SA 4.0