Does Tor Browser get a unique fingerprint with JavaScript, even if HTML5 Canvas data is blocked (amiunique.org)?

Question

Tor Browser settings

Security slider is on "Safest"
JavaScript is enabled (otherwise no Canvas fingerprint possible by site)
"Extract Canvas Data" is blocked:

Issue

amiunique.org still shows me a unique Canvas fingerprint:

Question

Do I need to assume, that a website with modern, advanced tracking techniques (e.g. Google) will be able to create a unique Canvas fingerprint by enabled JavaScript, therefore mitigating anonymity of Tor Browser?

As a consequence, this would mean, disabling JavaScript is essential (more than I thought) for "sufficient" anonymity.

Optional: How is amiunique.org able to do this despite having blocked "Extract Canvas Data" ?

Last year Tor enabled a feature which returns randomized image data when a website attempts to extract an image from the canvas. This is better seen by looking at the image on https://browserleaks.com/canvas. Each time you refresh the webpage, the image should change. So the canvas is intentionally unique, but changes so that you cannot be tracked by it.

Added in: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/d66dab82a7b9ae8012158aa1d78023a53f4b26f8

Bug 1621433 - In RFP mode, turn canvas image extraction into a random 'poison pill' for fingerprinters r=tjr,jrmuizel

In RFP mode, canvas image extraction leads to an all-white image, replace that with a random (sample 32 bytes of randomness and fill the buffer with that) 'poison pill'. This helps defeat naive fingerprinters by producing a random image on every try. This feature is toggled using a new, default on, pref privacy.resistFingerprinting.randomDataOnCanvasExtract.

Does Tor Browser get a unique fingerprint with JavaScript, even if HTML5 Canvas data is blocked (amiunique.org)?

Tor Browser settings

Issue

Question

Related

1 Answers1