Consider improving canvas fingerprinting detection heuristic

[tildelowengrimm]

http://randomwalker.info/publications/OpenWPM_1_million_site_tracking_measurement.pdf gives a canvas fingerprinting heuristic that has a much lower false positive rate than our current one:

We filter scripts according to the following criteria:

1. The canvas element’s height and width properties must not be set below 16 px.10
2. Text must be written to canvas with least two colors or at least 10 distinct characters.
3. The script should not call the save, restore, or addEventListener methods of the rendering context.
4. The script extracts an image with toDataURL or with a single call to getImageData that specifies an area with a minimum size of 16px × 16px.

And for canvas font detection:

the script sets the font property to at least 50 distinct, valid values and also calls the measureText method at least 50 times on the same text string.

However, perhaps it makes sense for us to use a more strict detection method with a higher false positive rate, since we are trying to defend against fingerprinting attacks on real people (not merely detect it for the purpose of a study). If it turns out that our false positive rate is too high and causing sites to be unusable, we could fall back to the heuristics above.

[thenatsky]

An example of a false positive:

Using cropper.js to manipulate a smallish user-uploaded image gets hijacked.

var croppedImg = cropper.getCroppedCanvas({width: 200, height: 200, fillColor: alpha}).toDataURL(pic_type);

the bit "cropper.getCroppedCanvas({width: 200, height: 200, fillColor: alpha})." gets replaced by a null function.

Hope the example helps when testing this fix.

[pes10k]

closing and addressed by #9186