6

While trying to watch a Youtube videos using Tor browser, the Tor browser opens an alert window: 

This website (www.youtube.com) attempted to extract HTML5 canvas image data, which may be used to uniquely identify your computer.

Should Tor Browser allow this website to extract HTML5 canvas image data?

Screenshot: http://imgur.com/aPTdy7k

Answering no will prevent the video to play.

Is Youtube trying to fingerprint visitors? What can we do to watch Youtube videos without allowing HTML5 canvas extraction?

curiousguy
  • 5,028
  • 3
  • 25
  • 27
supercobra
  • 623
  • 1
  • 5
  • 7
  • 1
    There are a few threads over at tor - like https://tor.stackexchange.com/questions/4029/html-5-canvas-imagedata-extraction-what-does-it-actually-mean - I'm not sure if it's possible to opt out anonymously from all attempts by google to try to track you. But `youtube-dl` over tor may be an option. – chexum Dec 21 '15 at 11:24
  • There was a Firefox module called [firegloves](http://fingerprint.pet-portal.eu/?menu=6) which was not blocking HTML 5 canvas but instead was preventing any tracking by regularly changing some Firefox settings, thus altering the resulting tracking fingerprint. The advantage was that it was working even when one could not disable HTML 5 canvas data. But sadly, while largely welcomed this project stayed at the proof-of-concept stage and is not maintained anymore :(... – WhiteWinterWolf Dec 21 '15 at 11:32
  • What is the logic of opening youtube videos via Tor anyway ? Youtube already filters and bas certain types of videos, so there's nothing more you can do from Tor on youtube compared to normal video viewing. Using it from Tor is a waste of Tor resources. – Overmind Jul 05 '18 at 08:15

1 Answers1

7

Likely not, but you can never be sure.

First, why does a website "attempted to extract HTML5 canvas image data"? The HTML5 canvas element allows manipulations of 2d images with Javascript. Among many other operations, it can draw images or videos to the canvas and then manipulate them on a pixel-by-pixel level. While there are lots of legitimate uses for this, it can also be used to detect subtle differences in how different web browsers render images, videos and text to gain information about the users web browser. That information can then be sent back to the server.

Youtube includes quite a lot of Javascript code, and most of it is heavily minified. That makes auditing it next to impossible. But I found 4 cases of the .getImageData function which is used to extract canvas data in the file base.js. 

a=a.o.getImageData(c,d,e,f).data;for(b=0;b<a.length;+=4)if(255<a[b]+a[b+1]+a[b+2]+a[b+3])return!0;return!1

This appears to check the overall brightness level of a part of the image and detects if it is "bright" or "dark".

f=e.getImageData(0,0,b,c),k=b*c,l=0;l<k;l++){var m=4*l;f.data[m]=f.data[m+1]=f.data[m+2]=Math.floor(35*Math.random());f.data[m+3]=255}e.putImageData(f,0,0);

This replaces the whole image with random gray noise and writes it back to the canvas. I suspect it's part of the code which creates the background for the "this video can not be displayed" error message.

b=b.getImageData(0,0,1,1).data;return b[0]==b[2]&&b[1]==b[3]

This part of code appears twice. It checks if the first pixel of the canvas is a greyscale color.

None of these snippets looks suspicious and appears to be plausible use of this feature in the context of a video player. But taking a glance at the minified mess this is and how much code there is, it is hard to be sure that there is no situation in which it leaks any information to a server. Also, just because I got Javascript with just these 4 cases, it doesn't mean that you will get the same. They could sent different javascript to different users depending on a million of variables.

Philipp
  • 48,867
  • 8
  • 127
  • 157