How can I support CanvasBlocker?
The best way to support CanvasBlocker is to give feedback. If something is not working like it should or something could be improved please open an issue. Reviews at addons.mozilla.org can also help to increase the user base but it is a very bad platform to communicate issues and improvements.
If you want to contribute with your own spare time you can help to improve the translations. Code contributions can also be done in form of pull requests but will be reviewed very thoroughly.
Why does CanvasBlocker need permission X?
Here is the list of permission that CanvasBlocker needs and the reason why it's needed:
- <all_urls> and tabs: CanvasBlocker needs to be able to interact with all possible urls and tabs as fingerprinting attempts could be done everywhere.
- storage: to store the settings the storage.local API is used.
- webRequest and webRequestBlocking: to insert the CSR headers in a request in order to protect the data-URLs. Once this bug has been fixed I can completely remove the data-URI protection (see here for further information).
- contextualIdentities and cookies: for support of browser containers. I would like to make this optional for only the people that use containers but I cannot (see here for further information).
- privacy: this permission is needed to read if the user has privacy.resistFingerprinting enabled. A notice about a slightly changed behaviour of CanvasBlocker is displayed in the settings page in that case.
How is CanvasBlocker funded?
There is no steady monetary funding of CanvasBlocker. Donations are accepted and help to cover some expenses. But since these are not that high it is not sure if a steady funding with any obligations will be accepted.
There is also no plan to monetize CanvasBlocker in any way.
All the development work is done by kkapsner in their spare time and no salary or compensation is paid for it.
So it's all done voluntarily for fun and free.
reCAPTCHA is not working!
It's a known fact that the window API protection breaks reCAPTCHAs. They use the window.name API to store information about the captcha. The protection is designed to mitigate exactly such techniques of passing information from one domain to another. But in this case the information is shared with an embedded HTML page (an <iframe> tag). As the information gets lost when the top level page navigates somewhere the tracking potential is quite limited in such a scenario.
So in conclusion you can enable "Allow window.name in frames" to make reCAPTCHA work and still don't have to worry too much about tracking with window.name.
Page X claims my fingerprint is unique.
Having a unique fingerprint is fine as long as it changes. With the default settings of CanvasBlocker the fingerprint should change all the time. But also with other settings (e.g. the stealth preset) that do not change the fingerprint all the time the fingerprint should be unique per domain and therefore prevent tracking. To test this you can check the different fingerprints on canvasblocker.kkapsner.de and canvasblocker2.kkapsner.de.
My fingerprint does not change when I reload page X.
Some pages do not recalculate the fingerprint upon reload. Make sure you force the recomputation.
But also some CanvasBlocker settings make it to not change the fingerprint upon reload (e.g. the stealth preset).
If you have privacy.resistFingerprinting enabled the fingerprints also may stay the same. But in this case you are not trackable as the fingerprint does not leak any information about your system. See here and here for further information.