Canvas Fingerprinting
What is Canvas Fingerprinting?
Canvas FingerprintingA browser-fingerprinting technique that exploits subtle GPU and font rendering differences when drawing on an HTML canvas to identify a device.
Canvas fingerprinting asks the browser to render a hidden HTML5 canvas containing text, shapes, or emojis and then hashes the resulting pixel buffer. Because GPU, driver, OS font rasterizer, and anti-aliasing settings produce slightly different output on each device, the hash acts as a stable identifier without storing any cookie. The technique was popularized in 2014 by Princeton's research on tracking scripts and quickly became standard in commercial tracker stacks. Defences include disabling canvas readback for third-party origins, returning randomized pixel noise (Brave, Firefox), warning prompts before canvas.toDataURL access, and the uniform rendering pipeline of the Tor Browser.
● Examples
- 01
AddThis widgets rendering a hidden canvas string in 2014 to identify visitors across publishers.
- 02
An ad SDK calling toDataURL on a styled text canvas and hashing the bytes as a stable ID.
● Frequently asked questions
What is Canvas Fingerprinting?
A browser-fingerprinting technique that exploits subtle GPU and font rendering differences when drawing on an HTML canvas to identify a device. It belongs to the Privacy & Data Protection category of cybersecurity.
What does Canvas Fingerprinting mean?
A browser-fingerprinting technique that exploits subtle GPU and font rendering differences when drawing on an HTML canvas to identify a device.
How does Canvas Fingerprinting work?
Canvas fingerprinting asks the browser to render a hidden HTML5 canvas containing text, shapes, or emojis and then hashes the resulting pixel buffer. Because GPU, driver, OS font rasterizer, and anti-aliasing settings produce slightly different output on each device, the hash acts as a stable identifier without storing any cookie. The technique was popularized in 2014 by Princeton's research on tracking scripts and quickly became standard in commercial tracker stacks. Defences include disabling canvas readback for third-party origins, returning randomized pixel noise (Brave, Firefox), warning prompts before canvas.toDataURL access, and the uniform rendering pipeline of the Tor Browser.
How do you defend against Canvas Fingerprinting?
Defences for Canvas Fingerprinting typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Canvas Fingerprinting?
Common alternative names include: HTML5 canvas tracking, Canvas hash fingerprinting.
● Related terms
- privacy№ 127
Browser Fingerprinting
A stateless tracking technique that identifies a user by combining browser, device, and configuration attributes into a near-unique signature.
- privacy№ 241
Cross-Site Tracking
The practice of linking a user's activity across multiple unrelated websites to build a long-lived behavioural profile.
- privacy№ 1115
Supercookie
A persistent tracking identifier stored outside normal cookie storage, designed to survive cookie clearing and private-browsing mode.
- privacy№ 1143
Third-Party Cookie
A cookie set by a domain different from the one in the browser's address bar, historically used to track users across websites.