XenForo 2.3: Broken image uploads in Firefox with "privacy.resistFingerprinting" = true

Steffen

Steffen

Well-known member
Affected version
2.3.2
Firefox users who have enabled "privacy.resistFingerprinting" cannot upload images anymore in XenForo 2.3. This settings seems to be configurable by visiting "about.config" and maybe by installing privacy-related Firefox extensions. I'm writing this post in Firefox 129.0.2 with the mentioned setting enabled to demonstrate the issue.

Maybe XenForo could detect whether the Canvas API works as expected by drawing a small image on a canvas and checking the result as explained here? https://discourse.mozilla.org/t/how-to-detect-privacy-resistfingerprinting/111798/2
 

Attachments

  • Osterhase.webp
    Osterhase.webp
    5.2 KB · Views: 13
  • Tanzbär.webp
    Tanzbär.webp
    9.5 KB · Views: 13
regular thing with tor browser.
it is based on firefox i think.
it has only happened when i try to do image as attachment.
if i drag and drop it normally works.
 
Opus X said:
if i drag and drop it normally works.
Click to expand...

Yep. Due to the following bug client side image processing is not used when an image is uploaded via Froala (Drag & Drop or Insert Image icon).
K

Confirmed Thread 'Client side image resizing fails if image is inserted via toolbar icon'

Prerequisites
  1. Set post_max_size and upload_max_filesize to 1 MB
  2. Set max image dimensions to 300 x 300
Steps to reproduce
  1. Click the editor toolbar icon Insert image
  2. Drop a large image (well > 1 MB and over 300x300) onto the drop area
Expected Result
The image is resized to max. 300 x 300 and uploaded afterwards

Actual Result
The source image is uploaded, the upload fails without a user-facing error

Suggested Fix
The upload must be routed through the attachment manager so client side image resizing is...
 
We just got a user complaint for this bug.

Detecting "Resist Fingerprinting" and conditionally disabling client side image processing might work.

Though I think the root cause here is that the browser doesn't detect that the canvas operation was done due to user interaction.
So maybe this should be escalated to Firefox developers?

Another workaround could be to change the code so the canvas operation happens immediately when the user selects the files(s), but that might not be viable if many (large) images are uploaded at once.
 
Kirby said:
We just got a user complaint for this bug.

Detecting "Resist Fingerprinting" and conditionally disabling client side image processing might work.

Though I think the root cause here is that the browser doesn't detect that the canvas operation was done due to user interaction.
So maybe this should be escalated to Firefox developers?

Another workaround could be to change the code so the canvas operation happens immediately when the user selects the files(s), but that might not be viable if many (large) images are uploaded at once.
Click to expand...
I use brave with finger printing disabled. Might be localised to FF exclusively.
 
Back
Top Bottom