We claim that the results of farbled APIs depend on session hash. I realised that during farbling, the wrappers used to call a common PRNG which means that the obtained pseudorandom numbers depended on the order of the call. So enabling or disabling the API resulted in changed wrapped APIs and changed fingerprint without the change to the domain and session key.

I fixed this in 249e002.

During the work I also noticed that images are farbled the same way. I created a test page with a 5x2 canvas https://www.fit.vutbr.cz/~ipolcak/jsr/farbling/canvas.html (currently I fill the canvas with the same colour; twice black, white, gray and almost black). See the attached images.

• Brave farbles different colours and pixels in each image. The same image is farbled the same way.
• We farble all images the same way so it is easy to remove the farbling. Additionally, we always farble only one channel.

Proposed solution:

• Farble all channels.
• Farble according to PRNG initialised with domainHash and the original image.

Hence the same image will be repeatedly farbled the same way. Different images will have different pixels farbled.

We need to go through all farbled APIs and make sure that the implementation really make sense.