whitelistURL and whitelistDomain get overwritten with the wrong translation
and ignorelistURL and ignorelistDomain are not specified.

If you click "whitelist URL" in the fake notification the added URL entry in the whitelist is not working since the special characters for RegExp are not escaped.

When I visit a site like this ouo.io .. Google is using new picture captchas instead of letters and it calls out faked readout for Canvas but the pictures to solve the captcha never show up unless I whitelist www.google.com . The addon is not working for this is there anyway to fix it

As a project manager of a website for a large automotive company I was surprised that CanvasBlocker gave me the alert that a canvas fingerprinting is used. My developers say that it canvas fingerprinting is not used in the original source code but it can come from the tracking snippets or from the google tag manager snippet. When I edit the source code and search for a tag I cannot find it on the site. The tracking is part of the domain of external agencies. Is there a possibility of a false alarm or is it possible that the code injection is detected by CanvasBlocker but it is not visible in Firebug? Anyway I would appreciate to see some source code around the black spot that caused CanvasBlocker to react to figure out who has done this by examining the IDs of elements, comments and so on. Is this somehow possible to integrate?

when the canvas api is blocked on a page and i click 'ignore domain', it adds the website to the ignore list and then also replaces my whitelist with the ignore list. so i lose all my whitelist entries and both lists are now the same as each other

firefox 41.0.1
canvasblocker 0.2.0

Good Idea, but dont work
tested himself: https://developer.mozilla.org/en-US/docs/Web/Guide/HTML/Canvas_tutorial/Drawing_shapes

u see all image

OK, so I get a message like "Faked readout on github.com" with a bunch of buttons, including "ignore domain". It's less than clear what happens though when a domain gets "ignored". Does that just mean I don't get notified about this domain? Does the canvas usage get blocked or not or not when I do this?

Given the presence of a "whitelist domain", I'm guessing that "ignore domain" doesn't do that, so it's more like "silently block domain in future". Is that right? Can we come up with a better way to express that?

I find the notifications introduced in v0.1.5.1-Release to be annoying because the excellent fake readout API block mode is a "set-it-and-forget-it" setting which shouldn't require user input (such as needing to populate the ignore list to prevent notifications from showing regularly). The notifications are confusing to non-technical users, and they constantly appear because the fake readout API setting is Canvas Blocker's default blocking mode (as it should be).

To solve this issue, I suggest introducing a new setting named "Show Notifications" which only allows the notifications to be displayed if the setting is true. "Show Notifications" should default to false to not bother or confuse non-technical users who don't want to dig into the preferences, while allowing technical users to enable notifications if desired.

Suggested implementation:

• Create a new boolean pref named "showNotifications"
• Edit "/resources/canvasblocker/lib/main.js" to check showNotifications when deciding whether to display the notification:
  • Change line 147 from: if (!ignoreList.match(contentURL)){
  • to: if (showNotifications && !ignoreList.match(contentURL)){
• On the Addons Manager preferences page:
  • Put the Show Notifications checkbox into the same sub-section as the Ignore List (so that both options are between one pair of separator lines). If that's not possible, then put Show Notifications right above Ignore List, since the Ignore List is only relevant if notifications are allowed.
  • English description for the Show Notifications checkbox: "Show a notification when the block mode is set to 'fake readout API'."

Note: if you plan on displaying notifications for other blocking modes in the future, please also have "Show Notifications" apply to them as well for the same reasons.

Relates to the following issues:

• #14
• #19

This addon is great; please keep up the good work!

The extension slows browser to crawl during startup. "Script not responding" alert mentions

resource://gre/modules/addons/XPIProvider.jsm -> jar:file:///home/uniqa/.mozilla/firefox/vhlwek37.default/extensions/[email protected]!/bootstrap.js ->
resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/loader/sandbox.js -> resource://gre/modules/commonjs/sdk/content/content-worker.js:335x

Same thing happens, when any Jetpack addon is (re)started. I believe, that one of causes lies in the fact, that CanvasBlocker ignores current state of tabs (it switches to tabs even when they are in background or unloaded). I am using "fake readout api" btw.

Hi,

I really like your plugin, but it seems like some pages stop working, when it's activated, even when I try different block modes. With the latest version (0.1.4) I don't even seem to get the pop ups to appear anymore. Now I was wondering how the settings Show calling logfile and Display complete calling stack are working in order to get an idea what's going on on those pages.

Unrelated to this, I assume any changes in the preferences are applied right away, i.e. as soon as I change something and re-load a webpage, the new settings come into effect, is this correct?

Thank you and best regards,
vawael

I would highly appreciate some kind of site management that stores white and blacklisted sites and that allows managing them.

Hello, while CanvasBlocker ist activated, the extension YoutubeCenter is not working anymore (doesnt even show its symbol on the youtube site any longer). Does not change even if I "Allow All" in CanvasBlocker.

I'm really surprised to see "faked readout on github.com".

 Calling file: https://assets-cdn.github.com/assets/frameworks-7d180c2bb5779ecb7ab5d04ce8af999e73836dcf0df1a8c44b69c62a1de0732f.js line 1 column 1776

Does it mean that github does canvas fingerprinting?

Could you fix it so that it looks like its coming from a normal functioning but different computer every time? From the test at browserleaks it fails to show a png and that could be used to identify and seperate you from normal users. so this does not work at all.

Hi Klaus Korbinian, I recently made a change to your extension. To do that was a bit of work because your git repo does not have the tree of your extension, it only has the tree of resources/canvasblocker. To work with your code I unzipped the canvasblocker xpi from master, initialized a repo on that and then:

    rm -rf resources/canvasblocker
    git submodule add -b master [email protected]:jay/CanvasBlocker.git resources/canvasblocker
    cd resources/canvasblocker
    git remote add upstream git://github.com/kkapsner/CanvasBlocker.git

This isn't a great solution because when you update your repo I'll have to remove all the files (except the .git stuff) and unzip the new xpi (sans resources/canvasblocker) from whatever your updated commit, then switch to resources/canvasblocker and checkout the commit associated with that xpi. Then I can commit the update in the superproject and branch off in the submodule. That is the only way to keep everything in sync and move back and forth.

I don't have any other changes in the pipeline but I think changing will make it easier for anyone else who wants to contribute.

Recently, Canvas Blocker started breaking all sites that use canvas in any way:

• mapy.cz: no map shown (but loads ok when you click "Letecká" at top left corner and back)
• google maps: full version doesn't work at all
• video.aktualne.cz - any video stops at "loading ad" stage

Whitelisting sites doesn't help, switching Canvas Blocker to Allow Everything block mode doesn't help either, the sites start working like charm when Canvas Blocker is disabled. All of these happen on clean profile + Canvas Blocker, no other add-on or preference make any difference

versions:
Firefox ESR 38.2.1
Canvas Blocker 0.1.8-Release

an addon icon for the addon/status bar would be useful as its kind of a pain to go into the addons page and find canvas blocker and click on settings. maybe it could bring up a window when clicked to quickly change options.

another thing that might be nice would be a popup when clicking on ignore or whitelist for a domain when readout is faked. that way the domain can be edited before it is added e.g. to add/remove subdomain or something

Suggested typo fixes and description changes to Canvas Blocker's addons.mozilla.org English description (starting below the horizontal line).

Notes:

• I'm unsure if this actually belongs in a Github bug report, so if not, please mark this as "won't fix" but still take the suggestions into consideration.
• The "allow everything" block mode is missing from the AMO English description, so it may be missing from the description in other languages, too.

This add-on allows users to prevent websites from using the Javascript API to fingerprint them. Users can choose to block the API entirely on some or all websites (which may break some websites) or just block or fake its fingerprinting-friendly readout API. More information on fingerprinting can be found at http://www.browserleaks.com/canvas.

The different block modes are:

• block everything: Ignore all lists and block the API on all websites.
• allow only white list: Only websites in the white list are allowed to use the API.
• ask for permission: If a website is not listed on the white list or black list, the user will be asked if the website should be allowed to use the API each time it is called.
• block readout API: All websites not on the white list or black list can use the API to display something on the page, but the readout API is not allowed to return values to the website.
• fake readout API: Canvas Blocker's default setting, and my favorite! All websites not on the white list or black list can use the API to display something on the page, but the readout API is forced to return a new random value each time it is called.
• ask for readout API permission: All websites not on the white list or black list can use the API to display something on the page, but the user will be asked if the website should be allowed to use the readout API each time it is called.
• block only black list: Block the API only for websites on the black list.
• allow everything: Ignore all lists and allow the API on all websites.

Firefox's native PDF reader uses the API to display PDF content, so blocking it for MIME-content type of "*/pdf" will prevent the PDF reader from working. Therefore, the API is enabled for PDFs by default, but it can be disabled without affecting the block mode setting.

At present, only my domain (kkapsner.de) is whitelisted by default.

Please report issues and feature requests at https://github.com/kkapsner/CanvasBlocker/issues

A highly experimental version for Android is available at https://github.com/kkapsner/CanvasBlocker/tree/android

I got problems using HTML5, especially on YouTube. After deactivating CanvasBlocker it worked again.

No message popped up. Another problem, that occured on other websites is, even if a popup for blocking appeared, it will appear every time i reload the page (even on restart of firefox)

Selected: "Asking when using read API"
Currently it's a JavaScript message.
In my opinion it would be nicer if the message box could be more nice and include a "temporarily allow" button to allow it only for the current visit.
It should also display the question like all other blocking questions in Firefox below the address bar in an infobar.

IMHO Tor Browser does it quite good. It shows exactly the message I would also like to see by this addon.

Edit: Also note that buttons like "block always" or something like this would be nice.

Lovely add-on - really!
Is there a way to get it installed under Android (Firefox)? I would love it, because I always feel a "shadow" following me - especially on my tablet, where you have less possibilities for privacy issues!

: G.rü

Suggested changes to fix misc. typos (missing commas, "separate", "commas", "nevertheless") and clarify a few descriptions in the English translation (/locale/en-US.json):

• "whiteList_description": "Domains or URLs where the API should not be blocked. To add multiple entries, separate them by commas."
• "blackList_description": "Domains or URLs where the API should always be blocked. To add multiple entries, separate them by commas."
• "ignoreList_description": "Domains or URLs where no notification will be shown. To add multiple entries, separate them by commas."
• "askOnlyOnce_description": "When Canvas Blocker's Block mode is set to 'ask permission' or 'ask permission for readout API', a confirm message will appear every time a page tries to access the API or readout API. This setting tries to display the confirm message only once for each page regardless of how many times the page tries to access the API. Nevertheless, multiple confirm messages may still be displayed on some pages."
• "allowPDFCanvas_description": "Firefox's native PDF reader uses the API to display PDF content. If this setting is unchecked when viewing a PDF, Canvas Blocker may display multiple ask dialogs or the PDF reader may not work at all."

No idea if the same typos are in other translations.

Add random webgl params for Unmasked Renderer
http://alteredqualia.com/tmp/webgl-maxparams-test/
in new Firefox (dev)
Unmasked Renderer: ANGLE (NVIDIA GeForce GTX 750 Direct3D11 vs_5_0 ps_5_0)

Hello,
I used the Add-on under Firefox in Android, but the new version is not longer compatible with FF 37.0.2

This addon is great. For increasing visibility, would it make sense to write the description in English in https://addons.mozilla.org/en-gb/firefox/addon/canvasblocker/?

It's not really an issue but rather a request.

I found something interesting,

Quicktranlator 1.0 ( https://addons.mozilla.org/en-US/firefox/addon/quick-translator/ ) + CanvasBlocker 0.1.2 leads to a zero profile WebGL detection. At least, according to www.ip-check.info
Investigate for yourself (tests take a while). Use a vanilla Firefox profile. Install both extensions and test with either one enabled and also in combination.

I hope you can use the results to improve your extension. (If you need more info, please let me know).

A Readme is missing... 😄

For the Fake readout API option, can we have an option to prevent the notification dialog for all sites?
That way, the readout API is faked, and we are not constantly hit with the notification that it was faked.
This, or a wildcard such as * for the ignore list.

EDIT: I see that putting "http*" in the ignore list does this. Perhaps a note should be made somewhere?

I found that Canvas Blocker 0.1.7 & 0.1.8 (updated from v 0.1.6 via AMO) break:

• Mapping sites
  — maps (or even complete webpages on mapping sites) do not render, despite domain white-listing; below are 2 non-exhaustive examples (note: I haven't tested most mapping sites, before downgrading to v 0.1.6)
  • Sample 1: NASA Worldview
  • Sample 2: ArcGIS WebMap
• Firefox's inbuilt PDF viewer
  — PDF file from any website will not load (only shows blank page with spinning icon), despite ticking Canvas Blocker's Allow canvas in PDFs (default in 0.1.7 & 0.1.8: unticked)
  • Sample: PDF page

The only way to avoid the above breakages is to disable Canvas Blocker, or uninstall it. Disabling all other add-ons (except Canvas Blocker) does not solve the breakages.

Last working version is v 0.1.6 (reinstalled from AMO), for which the aforementioned sites work perfectly, without any need for white-listing. Firefox's PDF viewer also works fine (note: v 0.1.6's Allow canvas in PDFs is ticked by default).

I'd tested v 0.2.0 devt (06 Sep 2015) referenced at Issue #35, but all of the above problems persist. I note that 0.2.0 devt does not have any PDF-related preference for user to tick or untick. Meanwhile, Firefox's PDF viewer remains broken.

Specs: Firefox 33.1.1, Win 7 SP1 (x64)

Issue: Metadata is located online only at AMO.
Resolution: Add offline/local metadata information.

See:
dillbyrne/random-agent-spoofer#94 (comment)

"about:config" ("extensions.getAddons.cache.enabled", false)

Hi,

This is a really nice addon you made for Firefox, I like how you are into Fingerprinting protection.

I want to ask if you might consider another idea to add into CanvasBlocker to protect the browser from sending HTTP Authenticaion Data ID to 3rd party requests...

If you go to JonDONYM's site to check IP you will see they have a section for 'Authentication'

http://ip-check.info/?lang=en

Thank you for your consideration to add this feature to your addon.

CanvasBlocker seems to interfere with YouTubeCenter plugin.

While CanvasBlocker is working, YTC will only work right after installation (only once!) and fail on following page reloadings, Firefox restarts etc.

YTC started working again after I disabled CanvasBlocker.
https://github.com/YePpHa/YouTubeCenter

CanvasBlocker settings:
Whitelist: kkapsner.de,^https?://(\w+\.)*google.[a-z]+/maps,orteil.dashnet.org/cookieclicker/,youtube.com,steamcommunity.com
Blacklist is empty
Blockmode: "Ask for permission for invisible canvas"
Canvas in PDFs is allowed

IMHO it would be nice to have an alternative method of the "fake readout API" which does not use random values, but rather use common values.
Because one disadvantage of a completely random value is that it reveals the fact that you're using this addon. And if this is detected websites may try to use workarounds around the readout API.
Even if that's not possible or not detected it is still a kind of tracking factor if there are many complete Canvas hashes from .
So if you can combine the fact "random Canvas hash" with another one you may be able to track the user, just because this addon is not as widespread, which means already the fact that you're using this addon may be "suspicious".
On the other hand there may be other methods to detect whether a particular addon is installed. I won't deny this and - if this addon was also affected - you cannot fix this. It's just that you do not have to provide more identifying values by something like this.

So what I would suggest is: Adding another "block mode" in the settings which uses common values instead of random ones. To do this get a database of common Canvas values. However there are different approaches how this mode may work and I'm suggesting them here all and leave it up to discussion what to use: The mode should... (RCOV = _r_andomly _c_hoose _o_ne common _v_alue [out of a list of common values])

• RCOV and use one per Canvas access (even if it should read multiple times on a website)
• RCOV and use one per site visit
• RCOV and use them for a pre-defined time for all sites and switch it later (1h or so)
• RCOV and use it for the current browser session (maybe that's not such a good idea, because it is too much bound to a event which can occur at any time [a browser may be opened very long or very short] and you can possibly track whether the user closed the browser)
• RCOV at the first installation of the addon and use it until the addon is uninstalled (possibly provide a update to choose another value)
• hard-code one very common value and use it for all installations

PS:

1. it also breaks test like https://amiunique.org/ because obviously they report you're unique - which is true. It's just that this uniqueness is temporarily.
2. https://www.browserleaks.com/canvas has a database of common Canvas values.

The block mode dropdown menu is currently a bit confusing because the readout API entries are sandwiched between entries that apply to all canvas. Reorder the list to put the readout API entries at the bottom so that the all-canvas entries are together.

Suggested order (arranged from block -> allow for both the canvas and readout entries groups):

• block everything
• block only black list
• ask for permission
• allow only white list
• allow everything
  • [separator line]
• block readout API
• ask for readout API permission
• fake readout API

If possible, it'd be nice to add a separator line to the menu between the all-canvas and readout API sections to make clear the separation between them

Note that this would also include reordering the entries on the AMO descriptions pages for all languages.

Hi

Firstly i want to say i'm helping make this demo:

https://www.browserleaks.com/canvas

And recently updated it, so now everyone can see more detailed whats going on when you "block readout API", or when you "fake readout API" with CanvasBlocker.

I have also reviewed the some extensions for blocking Canvas (two of them for Chrome, and also CanvasBlocker), and found that all they can be bypassed through creating canvas element inside iframe:

<iframe id="iframe" sandbox="allow-same-origin" style="display:none"></iframe>
<script>
var canvas = document.createElement('canvas');
console.log(typeof canvas.toDataURL)
canvas = document.getElementById("iframe").contentDocument.createElement('canvas')
console.log(typeof canvas.toDataURL)
</script>

When you do anything with canvas inside this iframe, extensions notices nothing.

But there is also a "good" news, why my demo still cant bypass CanvasBlocker, is this bug:

https://bugzilla.mozilla.org/show_bug.cgi?id=941146

Firefox crash js with NS_ERROR_FAILURE if i try to set ctx.font or ctx.fillText inside iframed canvas :))))

For now i put temporary fallback for this bug, when crash happens it returns to non-iframe canvas,

But i hope you fix CanvasBlocker before they fix FF :)

Hi...
I run Cyberfox 64bit with a handful of addons. One of them is Random Agent Spoofer -
https://addons.mozilla.org/en-US/firefox/addon/random-agent-spoofer/

I run into an issue with RAS, it offers spoofing of time zone and screen resolution. After creating a fresh profile, adding RAS and then adding my addons back 1 by 1... I have confirmed that CanvasBlocker clashes with time and resolution spoofing.

...just thought I'd mention it, maybe there can be a workaround/tweak worked out between the developers. Any feedback would be great too. Thanks!

Mirroring the approach taken by mozilla bug 967895 might be interesting as a extra option between allowing or blocking all access to Canvas.

Their approach is to allow pages to write to canvas, but to return a completely white image when getImageData() is called, unless given permission.

Bug967895's implementation changes the Firefox source code, but perhaps a javascript only solution is possible similar to your current blocking code by overriding the regular implementation when permission is denied or by leaving it as is if access is allowed.

Something like this to override getImageData()

CanvasRenderingContext2D.prototype.getImageData = function(x, y, w, h) {
    var imgdata = new ImageData(w, h);
    var i=w*h*4; // 4 bytes per pixel for RGBA
    while(i) {
        imgdata.data[i--] = 0xFF;
    }
    return imgdata;
};

hello, since the last update yesterday i cant login on xhamster.com :(
btw. there is no changelog on addons.mozilla.org for the 0.1.8-Release

Can you please add support for the SeaMonkey (formerly Mozilla Suite)?
You only need to add SeaMonkey to list of supported applications in install.rdf as http://addonconverter.fotokraina.com do...

  <em:targetApplication> 
    <em:Description> 
    <em:id>{92650c4d-4b8e-4d2a-b7eb-24ecf4f6b63a}</em:id> 
    <em:minVersion>2.0</em:minVersion>
    <em:maxVersion>2.*</em:maxVersion> 
  </em:Description> 
  </em:targetApplication>

No further adjustments are needed...

Here i ask for Pale Moon support: https://addons.mozilla.org/de/firefox/addon/canvasblocker/reviews/660262 because the 1.3 version works but not the 1.4

Pale Moon have currently not the Components.utils.exportFunction API, but the developer found the implementation bug entries (http://forum.palemoon.org/viewtopic.php?f=5&t=7015&p=45353#p45353). It is not so easy to implement this, so is Components.utils.exportFunction realy needed?

With the canvas blocker active the overlay window from https://mail.google.com/mail/u/0/#inbox when clicking on the write button does not show up.

Deactivating the addon and email writing is possible.

After using CanvasBlocker a bit I discovered that it also reported Canvas reads (also readouts) on Firefox error pages. Looking at the stack trace I saw this was caused by PrivacyBadger.

I do not know who can fix this better, but it would be nice to have some solution here.

about:certerror?e=nssBadCert&u=https%3A//self-signed.badssl.com/&c=windows-1252&f=regular&d=self-signed.badssl.com%20verwendet%20ein%20ung%C3%BCltiges%20Sicherheitszertifikat.%0A%0ADem%20Zertifikat%20wird%20nicht%20vertraut%2C%20weil%20es%20vom%20Aussteller%20selbst%20signiert%20wurde.%0A%0A%28Fehlercode%3A%20sec_error_unknown_issuer%29%0A Zeile 131 Spalte 1
    about:certerror?e=nssBadCert&u=https%3A//self-signed.badssl.com/&c=windows-1252&f=regular&d=self-signed.badssl.com%20verwendet%20ein%20ung%C3%BCltiges%20Sicherheitszertifikat.%0A%0ADem%20Zertifikat%20wird%20nicht%20vertraut%2C%20weil%20es%20vom%20Aussteller%20selbst%20signiert%20wurde.%0A%0A%28Fehlercode%3A%20sec_error_unknown_issuer%29%0A Zeile 187 Spalte 5
    about:certerror?e=nssBadCert&u=https%3A//self-signed.badssl.com/&c=windows-1252&f=regular&d=self-signed.badssl.com%20verwendet%20ein%20ung%C3%BCltiges%20Sicherheitszertifikat.%0A%0ADem%20Zertifikat%20wird%20nicht%20vertraut%2C%20weil%20es%20vom%20Aussteller%20selbst%20signiert%20wurde.%0A%0A%28Fehlercode%3A%20sec_error_unknown_issuer%29%0A Zeile 1 Spalte 2
    resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/loader/sandbox.js -> resource://jid1-mnnxcxisbpnsxq-at-jetpack/privacybadger/data/fingerprinting.js Zeile 231 Spalte 3
    resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/loader/sandbox.js -> resource://jid1-mnnxcxisbpnsxq-at-jetpack/privacybadger/data/fingerprinting.js Zeile 243 Spalte 1
    resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/loader/sandbox.js Zeile 66 Spalte 12
    resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/content/sandbox.js Zeile 320 Spalte 9
    resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/content/sandbox.js Zeile 281 Spalte 1
    resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/core/heritage.js Zeile 146 Spalte 23
    resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/content/worker-child.js Zeile 52 Spalte 20
    resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/core/heritage.js Zeile 146 Spalte 23
    resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/content/page-mod.js Zeile 157 Spalte 16
    resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/content/page-mod.js Zeile 190 Spalte 5
    resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/commonjs/sdk/content/page-mod.js Zeile 122 Spalte 7

Test site: https://self-signed.badssl.com
Firefox 42.0
CanvasBlocker 0.2.1
Privacy Badger 1.0.3

Also reported on PrivacyBadger: EFForg/privacybadgerfirefox-legacy#462

According to amiunique.org you can also use WebGL similar to Canvas to track a user.

It would be great if this Blocker could also help to block such tracking attempts.

Further to discussions at addons.mozilla.org:

I run Firefox 38.2.1ESR under Win7x64. I installed a separate portable version of this with no other addons and all default settings. CB 0.1.6 worked without whitelisting site. Page failed to load completely under CB 0.1.8, with or without whitelisting. I then installed a portable version of FF 40.0.3, installed most of the addons I normally use and tried again: CB 0.1.8 worked OK.
This suggests either an incompatibility with the ESR version I use, or a CB dependence on some specific feature in FF versions >38.

Thanks, very promising addon. This addon is a good recommendation for DIVERSIFY-project/amiunique#2 (https://amiunique.org/ - open source browser fingerprinting tool)

The popup notification is very intrusive though, having it grab all input on every page load is annoying. Do you think you could use a notification box instead? (https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XUL/notificationbox, click-to-play-like notification) A simple bar like this should do the trick:

Blocked <canvas> readout to https://someserver/path/.../576578.js [Keep blocking] [Allow]

I like to notify you about the fact that www.html5test.com reports Canvas Path Support is enabled when using Canvas Blocker. This can be switched on/off with "canvas.path.enabled". I was wondering if you overlooked it or if it's on purpose.

CanvasBlocker 0.1.4 working just fine with Firefox 35.0.1

A simple question regarding the Block mode :

If the readout API mode (either block or fake) runs well (and it does) what is the pertinence of the other modes? I mean, if the site has no readout of the canvas (or a fake one) why (when) would a user be interested in either white or black listing that domain, or even as well have that site ask permission?

If canvas is required for proper display (or even if not) but at the same time never has access to canvas' readout, why bother to choose any other mode than readout API mode?

As you see there's no issue, I'm just puzzled ... :)

Great add-on! Recently I've been noticing that with sites that generate long URLs, CanvasBlocker causes an unfortunate bug. The "Faked readout..." notification attempts to display the entire URL, which extends to the right beyond the chrome of the window.

Most problematically, it does not generate a scrollbar in Firefox, which means the controls for dismissing that notification (along with part of the content of the website, and the right side of Firefox's own toolbars and tabs) are beyond the edge of the window, and there's no way to reach them.

The only way to correct the problem is to close the tab. Firefox will continue operating in this enlarged-but-not-visible state, even on other tabs, until you close the tab with the problematic notification.

Here's an illustration:

This is the test URL, a search on Google for lorem ipsum text:
https://www.google.com/search?safe=off&site=&source=hp&q=Lorem+ipsum+dolor+sit+amet%2C+consectetur+adipiscing+elit.+Vestibulum+lacinia+ante+non+dolor+viverra+iaculis.+Class+aptent+taciti+sociosqu+ad+litora+torquent+per+conubia+nostra%2C+per+inceptos+himenaeos.+In+adipiscing+pulvinar+eros%2C+vitae+dictum+elit+cursus+a.+Praesent+a+hendrerit+urna.+Maecenas+neque+libero%2C+viverra+in+neque+at%2C+posuere+tempor+metus.+Vestibulum+neque+nisi%2C+malesuada+sed+ipsum+varius%2C+bibendum+ornare+nisl.+Aliquam+adipiscing+vehicula+varius.+Morbi+a+interdum+lacus.+Integer+luctus+lobortis+magna%2C+nec+vulputate+augue+blandit+ac.&oq=Lorem+ipsum+dolor+sit+amet%2C+consectetur+adipiscing+elit.+Vestibulum+lacinia+ante+non+dolor+viverra+iaculis.+Class+aptent+taciti+sociosqu+ad+litora+torquent+per+conubia+nostra%2C+per+inceptos+himenaeos.+In+adipiscing+pulvinar+eros%2C+vitae+dictum+elit+cursus+a.+Praesent+a+hendrerit+urna.+Maecenas+neque+libero%2C+viverra+in+neque+at%2C+posuere+tempor+metus.+Vestibulum+neque+nisi%2C+malesuada+sed+ipsum+varius%2C+bibendum+ornare+nisl.+Aliquam+adipiscing+vehicula+varius.+Morbi+a+interdum+lacus.+Integer+luctus+lobortis+magna%2C+nec+vulputate+augue+blandit+ac.

But to be clear, this happens on all kinds of websites, including ones that don't have long URLs of their own, because sometimes they have embedded components that do have long URLs.

I think the notification needs to either enforce some kind of wrapping on the URLs at whatever the existing window size is, regardless of what the characters in the URL are, or display the first X characters of the URL, with an ellipsis or something to see the full URL if you want to see it.

I try this extension on amiunique.org. It detects the canvas fingerprinting and a notification pops-up, but it seems no to deliver a fake result, because the "view details" page still display the generated canvas.

When using Nightly x64 2015-11-01 e10s on Windows 10 x64, I am getting hangs when accessing Github (and other pages which I assume are also making Canvas calls) using the "fake Readout API" setting. These hangs immediately disappear on my browser when I set the extension to the "block Readout API" setting.