Canvas is an HTML5 API that is used to draw graphics and animations on a web page via scripting in JavaScript.

But apart from this, the canvas can be used as additional entropy in the web browser's fingerprinting and used for online tracking purposes.

The technique is based on the fact that the same canvas image may be rendered differently in different computers. This happens for several reasons. At the image format level – web browsers use different image processing engines, image export options, compression level, the final images may get different checksum even if they are pixel-identical. At the system level – operating systems have different fonts, they use different algorithms and settings for anti-aliasing and sub-pixel rendering.

This is the first in the wild PoC of the Canvas Fingerprinting. Below you can see if the Canvas is supported in your web browser and check whether this technique can keep track of you. In addition, a little continuing research will show how really unique and persistent Canvas Fingerprint in real life, and whether your signature in the BrowserLeaks database (nothing is collected right here!).

JavaScript Disabled

Canvas Support in Your Browser Canvas (basic support) ? Text API for Canvas ? Canvas toDataURL ? Database Summary Unique User-Agents 528769 Unique Fingerprints 13830 Your Fingerprint Signature n/a Uniqueness n/a

Image File Details File Size Number of Colors PNG Hash PNG Headers Chunk Length CRC Content

Browser Statistics Looking at your signature, it's very likely that your web browser is Web Browser and your operating system is Operating System .

Browser Detection via Canvas is very rude and nominal, based just on parsing User-Agents. Don't be surprised if your signature refers to Windows as well as Android (for example). It does not happen. Just someone used UA-spoofing or device emulation on a websites, which is collecting the database. We could use more accurate sources of data (TCP/Flash/etc) to compile more reliable correlation between Canvas Fingerprint and Browser/OS, just it was not a main goal, also it would require further action from webmasters who agreed to put our code to collect data on their websites.