Note that the bot detection script uses WebGL to obtain GPU name. I assume this (fingerprinting) is the most popular use of WebGL. Sad that independent browsers like Firefox do not supply fake values.
Sadly, spoofing GPU vendor & renderer can be an even larger flag since they can hash the resulting image of the canvas to compare it with a database of collected fingerprints[0]
Apple does it because they don’t have a vested financial interest in internet-wide tracking.
Google does.
And while Mozilla does too because the vast majority of their funding comes from Google, it’s more pertinent that they don’t have the market share to pull this off. Firefox would just stop working on major websites if they did this.
Doesn't that just move the goal post though? Instead of using your GPU vendor for the fingerprint they can just hash the output canvas after they a bunch of odd rendering calls, getting a hash from the quirks of your graphics driver and GPU hardware.
IMO the use of <canvas> needs to be behind a permission prompt, the same as e.g. geolocation or WebRTC. Few websites actually need canvas/WebGL for legitimate purposes.
This would break way too many websites to be feasible. And if implemented, would be something requested on so many sites that users would learn to automatically say yes which would weaken the power of permission prompts in general.
For example, almost every major Japanese book/comic site uses canvas in their e-reader
The best solution would be if canvas only allowed displaying pixels on the page but not drawing (meaning you need to bring your own drawing library) so that it would be unusable for fingerprinting.
[0]: https://research.google/pubs/picasso-lightweight-device-clas...