Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#44247 closed defect (bug) (duplicate)

The ability to extract HTML5 canvas image data should be disabled by default in WordPress-based websites

Reported by: nzflagmaven's profile nzflagmaven Owned by:
Milestone: Priority: normal
Severity: trivial Version:
Component: Privacy Keywords:
Focuses: Cc:


(1) Closed help topic at
(2) Closed Trac ticket #32138 at
(3) Wikipedia topic 'Canvas fingerprinting' at
(4) Wikipedia topic 'Device fingerprint' at
(5) Wikipedia topic 'WordPress' (Vulnerabilities section) at

The little-known ability of WordPress-based websites to extract HTML5 canvas image data may be of considerable worth to intelligence services, to hackers, and to certain WP plugins, but it can only be considered utterly vile to users who value not only their own privacy but that of visitors to their websites.

That WordPress websites have this built-in feature, capable of being used to uniquely 'fingerprint' the physical devices of visitors, and enabled by default, with no 'off' switch available save PHP file editing, may actually border on criminal now that the EU GDPR has gone live.

Even if future core releases provide a settings 'disable' for this feature, preferably ticked by default, WordPress websites that want to use it should be required to secure the informed permission of their visitors.

Minimize it, euphemize it, call it a 'non-bug', or find some other pretense to shrug off this privacy issue, but expect some fallout when the general media gets wind of it, particularly the EU media, and of your having been apprised of it more than three years ago but continuing to ignore it.

Attachments (1)

Canvas fingerprinting warning given by Tor Browser for typical WordPress website.png (85.7 KB) - added by nzflagmaven 6 years ago.
Canvas fingerprinting warning given by Tor Browser for typical WordPress website

Download all attachments as: .zip

Change History (3)

6 years ago

Canvas fingerprinting warning given by Tor Browser for typical WordPress website

#2 @pento
6 years ago

  • Keywords needs-patch removed
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Severity changed from major to trivial
  • Status changed from new to closed
  • Version 4.9.6 deleted

Per the discussion on #42428, WordPress is not using the canvas image data for fingerprinting, it's simply used to detect whether the browser is able to render emoji correctly. Unfortunately, there don't appear to be any APIs available that can give us similarly useful information.

Should browsers implement an alternative API we can use for this purpose, I'd be more than happy to switch to it. Until then, you should know that conflating legitimate use of the canvas image data API with fingerprinting, using overly hyperbolic language to describe the behaviour, as well as fear-mongering over imaginary GDPR violations, don't really make a convincing argument.

Note: See TracTickets for help on using tickets.