Adding upstream version 124.0.1.upstream/124.0.1

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 2137 insertions, 0 deletions

diff --git a/toolkit/components/resistfingerprinting/nsRFPService.cpp b/toolkit/components/resistfingerprinting/nsRFPService.cpp
new file mode 100644
index 0000000000..8579fe2a3b
--- /dev/null
+++ b/toolkit/components/resistfingerprinting/nsRFPService.cpp
@@ -0,0 +1,2137 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsRFPService.h"
+
+#include <algorithm>
+#include <cfloat>
+#include <cinttypes>
+#include <cmath>
+#include <cstdlib>
+#include <cstring>
+#include <ctime>
+#include <new>
+#include <type_traits>
+#include <utility>
+
+#include "MainThreadUtils.h"
+#include "ScopedNSSTypes.h"
+
+#include "mozilla/ArrayIterator.h"
+#include "mozilla/Assertions.h"
+#include "mozilla/Atomics.h"
+#include "mozilla/Casting.h"
+#include "mozilla/ClearOnShutdown.h"
+#include "mozilla/ContentBlockingNotifier.h"
+#include "mozilla/glean/GleanMetrics.h"
+#include "mozilla/HashFunctions.h"
+#include "mozilla/HelperMacros.h"
+#include "mozilla/Likely.h"
+#include "mozilla/Logging.h"
+#include "mozilla/MacroForEach.h"
+#include "mozilla/OriginAttributes.h"
+#include "mozilla/Preferences.h"
+#include "mozilla/RefPtr.h"
+#include "mozilla/Services.h"
+#include "mozilla/Sprintf.h"
+#include "mozilla/StaticPrefs_javascript.h"
+#include "mozilla/StaticPrefs_privacy.h"
+#include "mozilla/StaticPtr.h"
+#include "mozilla/TextEvents.h"
+#include "mozilla/dom/BrowsingContext.h"
+#include "mozilla/dom/CanvasRenderingContextHelper.h"
+#include "mozilla/dom/CanonicalBrowsingContext.h"
+#include "mozilla/dom/Document.h"
+#include "mozilla/dom/Element.h"
+#include "mozilla/dom/KeyboardEventBinding.h"
+#include "mozilla/dom/WindowGlobalParent.h"
+#include "mozilla/fallible.h"
+#include "mozilla/XorShift128PlusRNG.h"
+
+#include "nsAboutProtocolUtils.h"
+#include "nsBaseHashtable.h"
+#include "nsComponentManagerUtils.h"
+#include "nsCOMPtr.h"
+#include "nsContentUtils.h"
+#include "nsCoord.h"
+#include "nsTHashMap.h"
+#include "nsDebug.h"
+#include "nsEffectiveTLDService.h"
+#include "nsError.h"
+#include "nsHashKeys.h"
+#include "nsJSUtils.h"
+#include "nsLiteralString.h"
+#include "nsPrintfCString.h"
+#include "nsServiceManagerUtils.h"
+#include "nsString.h"
+#include "nsStringFlags.h"
+#include "nsTArray.h"
+#include "nsTLiteralString.h"
+#include "nsTPromiseFlatString.h"
+#include "nsTStringRepr.h"
+#include "nsXPCOM.h"
+
+#include "nsICookieJarSettings.h"
+#include "nsICryptoHash.h"
+#include "nsIGlobalObject.h"
+#include "nsILoadInfo.h"
+#include "nsIObserverService.h"
+#include "nsIRandomGenerator.h"
+#include "nsIScriptSecurityManager.h"
+#include "nsIUserIdleService.h"
+#include "nsIWebProgressListener.h"
+#include "nsIXULAppInfo.h"
+
+#include "nscore.h"
+#include "prenv.h"
+#include "prtime.h"
+#include "xpcpublic.h"
+
+#include "js/Date.h"
+
+using namespace mozilla;
+
+static mozilla::LazyLogModule gResistFingerprintingLog(
+    "nsResistFingerprinting");
+
+static mozilla::LazyLogModule gFingerprinterDetection("FingerprinterDetection");
+
+#define RESIST_FINGERPRINTINGPROTECTION_OVERRIDE_PREF \
+  "privacy.fingerprintingProtection.overrides"
+#define RFP_TIMER_UNCONDITIONAL_VALUE 20
+#define LAST_PB_SESSION_EXITED_TOPIC "last-pb-context-exited"
+
+static constexpr uint32_t kVideoFramesPerSec = 30;
+static constexpr uint32_t kVideoDroppedRatio = 5;
+
+#define RFP_DEFAULT_SPOOFING_KEYBOARD_LANG KeyboardLang::EN
+#define RFP_DEFAULT_SPOOFING_KEYBOARD_REGION KeyboardRegion::US
+
+#define FP_OVERRIDES_DOMAIN_KEY_DELIMITER ','
+
+// Fingerprinting protections that are enabled by default. This can be
+// overridden using the privacy.fingerprintingProtection.overrides pref.
+#if defined(MOZ_WIDGET_ANDROID)
+const RFPTarget kDefaultFingerprintingProtections =
+    RFPTarget::CanvasRandomization;
+#else
+const RFPTarget kDefaultFingerprintingProtections =
+    RFPTarget::CanvasRandomization | RFPTarget::FontVisibilityLangPack;
+#endif
+
+static constexpr uint32_t kSuspiciousFingerprintingActivityThreshold = 1;
+
+// ============================================================================
+// ============================================================================
+// ============================================================================
+// Structural Stuff & Pref Observing
+
+NS_IMPL_ISUPPORTS(nsRFPService, nsIObserver, nsIRFPService)
+
+static StaticRefPtr<nsRFPService> sRFPService;
+static bool sInitialized = false;
+
+// Actually enabled fingerprinting protections.
+static Atomic<RFPTarget> sEnabledFingerprintingProtections;
+
+/* static */
+already_AddRefed<nsRFPService> nsRFPService::GetOrCreate() {
+  if (!sInitialized) {
+    sRFPService = new nsRFPService();
+    nsresult rv = sRFPService->Init();
+
+    if (NS_FAILED(rv)) {
+      sRFPService = nullptr;
+      return nullptr;
+    }
+
+    ClearOnShutdown(&sRFPService);
+    sInitialized = true;
+  }
+
+  return do_AddRef(sRFPService);
+}
+
+static const char* gCallbackPrefs[] = {
+    RESIST_FINGERPRINTINGPROTECTION_OVERRIDE_PREF,
+    nullptr,
+};
+
+nsresult nsRFPService::Init() {
+  MOZ_ASSERT(NS_IsMainThread());
+
+  nsresult rv;
+
+  nsCOMPtr<nsIObserverService> obs = mozilla::services::GetObserverService();
+  NS_ENSURE_TRUE(obs, NS_ERROR_NOT_AVAILABLE);
+
+  rv = obs->AddObserver(this, NS_XPCOM_SHUTDOWN_OBSERVER_ID, false);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  if (XRE_IsParentProcess()) {
+    rv = obs->AddObserver(this, LAST_PB_SESSION_EXITED_TOPIC, false);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    rv = obs->AddObserver(this, OBSERVER_TOPIC_IDLE_DAILY, false);
+    NS_ENSURE_SUCCESS(rv, rv);
+  }
+
+  Preferences::RegisterCallbacks(nsRFPService::PrefChanged, gCallbackPrefs,
+                                 this);
+
+  JS::SetReduceMicrosecondTimePrecisionCallback(
+      nsRFPService::ReduceTimePrecisionAsUSecsWrapper);
+
+  // Called from here to get the initial list of enabled fingerprinting
+  // protections.
+  UpdateFPPOverrideList();
+
+  return rv;
+}
+
+/* static */
+bool nsRFPService::IsRFPPrefEnabled(bool aIsPrivateMode) {
+  if (StaticPrefs::privacy_resistFingerprinting_DoNotUseDirectly() ||
+      (aIsPrivateMode &&
+       StaticPrefs::privacy_resistFingerprinting_pbmode_DoNotUseDirectly())) {
+    return true;
+  }
+  return false;
+}
+
+/* static */
+bool nsRFPService::IsRFPEnabledFor(
+    bool aIsPrivateMode, RFPTarget aTarget,
+    const Maybe<RFPTarget>& aOverriddenFingerprintingSettings) {
+  MOZ_ASSERT(aTarget != RFPTarget::AllTargets);
+
+  if (StaticPrefs::privacy_resistFingerprinting_DoNotUseDirectly() ||
+      (aIsPrivateMode &&
+       StaticPrefs::privacy_resistFingerprinting_pbmode_DoNotUseDirectly())) {
+    if (aTarget == RFPTarget::JSLocale) {
+      return StaticPrefs::privacy_spoof_english() == 2;
+    }
+    return true;
+  }
+
+  if (StaticPrefs::privacy_fingerprintingProtection_DoNotUseDirectly() ||
+      (aIsPrivateMode &&
+       StaticPrefs::
+           privacy_fingerprintingProtection_pbmode_DoNotUseDirectly())) {
+    if (aTarget == RFPTarget::IsAlwaysEnabledForPrecompute) {
+      return true;
+    }
+
+    if (aOverriddenFingerprintingSettings) {
+      return bool(aOverriddenFingerprintingSettings.ref() & aTarget);
+    }
+
+    return bool(sEnabledFingerprintingProtections & aTarget);
+  }
+
+  return false;
+}
+
+void nsRFPService::UpdateFPPOverrideList() {
+  nsAutoString targetOverrides;
+  nsresult rv = Preferences::GetString(
+      RESIST_FINGERPRINTINGPROTECTION_OVERRIDE_PREF, targetOverrides);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    MOZ_LOG(gResistFingerprintingLog, LogLevel::Warning,
+            ("Could not get fingerprinting override pref value"));
+    return;
+  }
+
+  RFPTarget enabled = CreateOverridesFromText(
+      targetOverrides, kDefaultFingerprintingProtections);
+
+  sEnabledFingerprintingProtections = enabled;
+}
+
+/* static */
+Maybe<RFPTarget> nsRFPService::TextToRFPTarget(const nsAString& aText) {
+#define ITEM_VALUE(name, value)     \
+  if (aText.EqualsLiteral(#name)) { \
+    return Some(RFPTarget::name);   \
+  }
+
+#include "RFPTargets.inc"
+#undef ITEM_VALUE
+
+  return Nothing();
+}
+
+void nsRFPService::StartShutdown() {
+  MOZ_ASSERT(NS_IsMainThread());
+
+  nsCOMPtr<nsIObserverService> obs = mozilla::services::GetObserverService();
+
+  if (obs) {
+    obs->RemoveObserver(this, NS_XPCOM_SHUTDOWN_OBSERVER_ID);
+    if (XRE_IsParentProcess()) {
+      obs->RemoveObserver(this, LAST_PB_SESSION_EXITED_TOPIC);
+      obs->RemoveObserver(this, OBSERVER_TOPIC_IDLE_DAILY);
+    }
+  }
+
+  if (mWebCompatService) {
+    mWebCompatService->Shutdown();
+  }
+
+  Preferences::UnregisterCallbacks(nsRFPService::PrefChanged, gCallbackPrefs,
+                                   this);
+}
+
+// static
+void nsRFPService::PrefChanged(const char* aPref, void* aSelf) {
+  static_cast<nsRFPService*>(aSelf)->PrefChanged(aPref);
+}
+
+void nsRFPService::PrefChanged(const char* aPref) {
+  nsDependentCString pref(aPref);
+
+  if (pref.EqualsLiteral(RESIST_FINGERPRINTINGPROTECTION_OVERRIDE_PREF)) {
+    UpdateFPPOverrideList();
+  }
+}
+
+NS_IMETHODIMP
+nsRFPService::Observe(nsISupports* aObject, const char* aTopic,
+                      const char16_t* aMessage) {
+  if (strcmp(NS_XPCOM_SHUTDOWN_OBSERVER_ID, aTopic) == 0) {
+    StartShutdown();
+  }
+
+  if (strcmp(LAST_PB_SESSION_EXITED_TOPIC, aTopic) == 0) {
+    // Clear the private session key when the private session ends so that we
+    // can generate a new key for the new private session.
+    OriginAttributesPattern pattern;
+    pattern.mPrivateBrowsingId.Construct(1);
+    ClearBrowsingSessionKey(pattern);
+  }
+
+  if (!strcmp(OBSERVER_TOPIC_IDLE_DAILY, aTopic)) {
+    if (StaticPrefs::
+            privacy_resistFingerprinting_randomization_daily_reset_enabled()) {
+      OriginAttributesPattern pattern;
+      pattern.mPrivateBrowsingId.Construct(
+          nsIScriptSecurityManager::DEFAULT_PRIVATE_BROWSING_ID);
+      ClearBrowsingSessionKey(pattern);
+    }
+
+    if (StaticPrefs::
+            privacy_resistFingerprinting_randomization_daily_reset_private_enabled()) {
+      OriginAttributesPattern pattern;
+      pattern.mPrivateBrowsingId.Construct(1);
+      ClearBrowsingSessionKey(pattern);
+    }
+  }
+
+  if (nsCRT::strcmp(aTopic, "profile-after-change") == 0 &&
+      XRE_IsParentProcess()) {
+    // Get the singleton of the remote override service if we are in the parent
+    // process.
+    nsresult rv;
+    mWebCompatService =
+        do_GetService(NS_FINGERPRINTINGWEBCOMPATSERVICE_CONTRACTID, &rv);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    rv = mWebCompatService->Init();
+    NS_ENSURE_SUCCESS(rv, rv);
+  }
+
+  return NS_OK;
+}
+
+// ============================================================================
+// ============================================================================
+// ============================================================================
+// Reduce Timer Precision Stuff
+
+constexpr double RFP_TIME_ATOM_MS = 16.667;  // 60Hz, 1000/60 but rounded.
+/*
+In RFP RAF always runs at 60Hz, so we're ~0.02% off of 1000/60 here.
+```js
+extra_frames_per_frame = 16.667 / (1000/60) - 1 // 0.00028
+sec_per_extra_frame = 1 / (extra_frames_per_frame * 60) // 833.33
+min_per_extra_frame = sec_per_extra_frame / 60 // 13.89
+```
+We expect an extra frame every ~14 minutes, which is enough to be smooth.
+16.67 would be ~1.4 minutes, which is OK, but is more noticable.
+Put another way, if this is the only unacceptable hitch you have across 14
+minutes, I'm impressed, and we might revisit this.
+*/
+
+/* static */
+double nsRFPService::TimerResolution(RTPCallerType aRTPCallerType) {
+  double prefValue = StaticPrefs::
+      privacy_resistFingerprinting_reduceTimerPrecision_microseconds();
+  if (aRTPCallerType == RTPCallerType::ResistFingerprinting) {
+    return std::max(RFP_TIME_ATOM_MS * 1000.0, prefValue);
+  }
+  return prefValue;
+}
+
+/**
+ * The purpose of this function is to deterministicly generate a random midpoint
+ * between a lower clamped value and an upper clamped value. Assuming a clamping
+ * resolution of 100, here is an example:
+ *
+ * |---------------------------------------|--------------------------|
+ * lower clamped value (e.g. 300)          |           upper clamped value (400)
+ *                              random midpoint (e.g. 360)
+ *
+ * If our actual timestamp (e.g. 325) is below the midpoint, we keep it clamped
+ * downwards. If it were equal to or above the midpoint (e.g. 365) we would
+ * round it upwards to the largest clamped value (in this example: 400).
+ *
+ * The question is: does time go backwards?
+ *
+ * The midpoint is deterministicly random and generated from three components:
+ * a secret seed, a per-timeline (context) 'mix-in', and a clamped time.
+ *
+ * When comparing times across different seed values: time may go backwards.
+ * For a clamped time of 300, one seed may generate a midpoint of 305 and
+ * another 395. So comparing an (actual) timestamp of 325 and 351 could see the
+ * 325 clamped up to 400 and the 351 clamped down to 300. The seed is
+ * per-process, so this case occurs when one can compare timestamps
+ * cross-process. This is uncommon (because we don't have site isolation.) The
+ * circumstances this could occur are BroadcastChannel, Storage Notification,
+ * and in theory (but not yet implemented) SharedWorker. This should be an
+ * exhaustive list (at time of comment writing!).
+ *
+ * Aside from cross-process communication, derived timestamps across different
+ * time origins may go backwards. (Specifically, derived means adding two
+ * timestamps together to get an (approximate) absolute time.)
+ * Assume a page and a worker. If one calls performance.now() in the page and
+ * then triggers a call to performance.now() in the worker, the following
+ * invariant should hold true:
+ *             page.performance.timeOrigin + page.performance.now() <
+ *                      worker.performance.timeOrigin + worker.performance.now()
+ *
+ * We break this invariant.
+ *
+ * The 'Context Mix-in' is a securely generated random seed that is unique for
+ * each timeline that starts over at zero. It is needed to ensure that the
+ * sequence of midpoints (as calculated by the secret seed and clamped time)
+ * does not repeat. In RelativeTimeline.h, we define a 'RelativeTimeline' class
+ * that can be inherited by any object that has a relative timeline. The most
+ * obvious examples are Documents and Workers. An attacker could let time go
+ * forward and observe (roughly) where the random midpoints fall. Then they
+ * create a new object, time starts back over at zero, and they know
+ * (approximately) where the random midpoints are.
+ *
+ * When the timestamp given is a non-relative timestamp (e.g. it is relative to
+ * the unix epoch) it is not possible to replay a sequence of random values.
+ * Thus, providing a zero context pointer is an indicator that the timestamp
+ * given is absolute and does not need any additional randomness.
+ *
+ * @param aClampedTimeUSec [in]  The clamped input time in microseconds.
+ * @param aResolutionUSec  [in]  The current resolution for clamping in
+ *                               microseconds.
+ * @param aMidpointOut     [out] The midpoint, in microseconds, between [0,
+ *                               aResolutionUSec].
+ * @param aContextMixin    [in]  An opaque random value for relative
+ *                               timestamps. 0 for absolute timestamps
+ * @param aSecretSeed      [in]  TESTING ONLY. When provided, the current seed
+ *                               will be replaced with this value.
+ * @return                 A nsresult indicating success of failure. If the
+ *                         function failed, nothing is written to aMidpointOut
+ */
+
+/* static */
+nsresult nsRFPService::RandomMidpoint(long long aClampedTimeUSec,
+                                      long long aResolutionUSec,
+                                      int64_t aContextMixin,
+                                      long long* aMidpointOut,
+                                      uint8_t* aSecretSeed /* = nullptr */) {
+  nsresult rv;
+  const int kSeedSize = 16;
+  static Atomic<uint8_t*> sSecretMidpointSeed;
+
+  if (MOZ_UNLIKELY(!aMidpointOut)) {
+    return NS_ERROR_INVALID_ARG;
+  }
+
+  /*
+   * Below, we will use three different values to seed a fairly simple random
+   * number generator. On the first run we initiate the secret seed, which
+   * is mixed in with the time epoch and the context mix in to seed the RNG.
+   *
+   * This isn't the most secure method of generating a random midpoint but is
+   * reasonably performant and should be sufficient for our purposes.
+   */
+
+  // If we don't have a seed, we need to get one.
+  if (MOZ_UNLIKELY(!sSecretMidpointSeed)) {
+    nsCOMPtr<nsIRandomGenerator> randomGenerator =
+        do_GetService("@mozilla.org/security/random-generator;1", &rv);
+    if (NS_WARN_IF(NS_FAILED(rv))) {
+      return rv;
+    }
+
+    uint8_t* temp = nullptr;
+    rv = randomGenerator->GenerateRandomBytes(kSeedSize, &temp);
+    if (NS_WARN_IF(NS_FAILED(rv))) {
+      return rv;
+    }
+    if (MOZ_UNLIKELY(!sSecretMidpointSeed.compareExchange(nullptr, temp))) {
+      // Some other thread initted this first, never mind!
+      free(temp);
+    }
+  }
+
+  // sSecretMidpointSeed is now set, and invariant. The contents of the buffer
+  // it points to is also invariant, _unless_ this function is called with a
+  // non-null |aSecretSeed|.
+  uint8_t* seed = sSecretMidpointSeed;
+  MOZ_RELEASE_ASSERT(seed);
+
+  // If someone has passed in the testing-only parameter, replace our seed with
+  // it. We do _not_ re-allocate the buffer, since that can lead to UAF below.
+  // The math could still be racy if the caller supplies a new secret seed while
+  // some other thread is calling this function, but since this is arcane
+  // test-only functionality that is used in only one test-case presently, we
+  // put the burden of using this particular footgun properly on the test code.
+  if (MOZ_UNLIKELY(aSecretSeed != nullptr)) {
+    memcpy(seed, aSecretSeed, kSeedSize);
+  }
+
+  // Seed and create our random number generator.
+  non_crypto::XorShift128PlusRNG rng(aContextMixin ^ *(uint64_t*)(seed),
+                                     aClampedTimeUSec ^ *(uint64_t*)(seed + 8));
+
+  // Retrieve the output midpoint value.
+  if (MOZ_UNLIKELY(aResolutionUSec <= 0)) {  // ??? Bug 1718066
+    return NS_ERROR_FAILURE;
+  }
+  *aMidpointOut = rng.next() % aResolutionUSec;
+
+  return NS_OK;
+}
+
+/**
+ * Given a precision value, this function will reduce a given input time to the
+ * nearest multiple of that precision.
+ *
+ * It will check if it is appropriate to clamp the input time according to the
+ * values of the given TimerPrecisionType.  Note that if one desires a minimum
+ * precision for Resist Fingerprinting, it is the caller's responsibility to
+ * provide the correct value. This means you should pass TimerResolution(),
+ * which enforces a minimum value on the precision based on preferences.
+ *
+ * It ensures the given precision value is greater than zero, if it is not it
+ * returns the input time.
+ *
+ * While the correct thing to pass is TimerResolution() we expose it as an
+ * argument for testing purposes only.
+ *
+ * @param aTime           [in] The input time to be clamped.
+ * @param aTimeScale      [in] The units the input time is in (Seconds,
+ *                             Milliseconds, or Microseconds).
+ * @param aResolutionUSec [in] The precision (in microseconds) to clamp to.
+ * @param aContextMixin   [in] An opaque random value for relative timestamps.
+ *                             0 for absolute timestamps
+ * @return                 If clamping is appropriate, the clamped value of the
+ *                         input, otherwise the input.
+ */
+/* static */
+double nsRFPService::ReduceTimePrecisionImpl(double aTime, TimeScale aTimeScale,
+                                             double aResolutionUSec,
+                                             int64_t aContextMixin,
+                                             TimerPrecisionType aType) {
+  if (aType == TimerPrecisionType::DangerouslyNone) {
+    return aTime;
+  }
+
+  // This boolean will serve as a flag indicating we are clamping the time
+  // unconditionally. We do this when timer reduction preference is off; but we
+  // still want to apply 20us clamping to al timestamps to avoid leaking
+  // nano-second precision.
+  bool unconditionalClamping = false;
+  if (aType == UnconditionalAKAHighRes || aResolutionUSec <= 0) {
+    unconditionalClamping = true;
+    aResolutionUSec = RFP_TIMER_UNCONDITIONAL_VALUE;  // 20 microseconds
+    aContextMixin = 0;  // Just clarifies our logging statement at the end,
+                        // otherwise unused
+  }
+
+  // Increase the time as needed until it is in microseconds.
+  // Note that a double can hold up to 2**53 with integer precision. This gives
+  // us only until June 5, 2255 in time-since-the-epoch with integer precision.
+  // So we will be losing microseconds precision after that date.
+  // We think this is okay, and we codify it in some tests.
+  double timeScaled = aTime * (1000000 / aTimeScale);
+  // Cut off anything less than a microsecond.
+  long long timeAsInt = timeScaled;
+
+  // If we have a blank context mixin, this indicates we (should) have an
+  // absolute timestamp. We check the time, and if it less than a unix timestamp
+  // about 10 years in the past, we output to the log and, in debug builds,
+  // assert. This is an error case we want to understand and fix: we must have
+  // given a relative timestamp with a mixin of 0 which is incorrect. Anyone
+  // running a debug build _probably_ has an accurate clock, and if they don't,
+  // they'll hopefully find this message and understand why things are crashing.
+  const long long kFeb282008 = 1204233985000;
+  if (aContextMixin == 0 && timeAsInt < kFeb282008 && !unconditionalClamping &&
+      aType != TimerPrecisionType::RFP) {
+    nsAutoCString type;
+    TypeToText(aType, type);
+    MOZ_LOG(
+        gResistFingerprintingLog, LogLevel::Error,
+        ("About to assert. aTime=%lli<%lli aContextMixin=%" PRId64 " aType=%s",
+         timeAsInt, kFeb282008, aContextMixin, type.get()));
+    MOZ_ASSERT(
+        false,
+        "ReduceTimePrecisionImpl was given a relative time "
+        "with an empty context mix-in (or your clock is 10+ years off.) "
+        "Run this with MOZ_LOG=nsResistFingerprinting:1 to get more details.");
+  }
+
+  // Cast the resolution (in microseconds) to an int.
+  long long resolutionAsInt = aResolutionUSec;
+  // Perform the clamping.
+  // We do a cast back to double to perform the division with doubles, then
+  // floor the result and the rest occurs with integer precision. This is
+  // because it gives consistency above and below zero. Above zero, performing
+  // the division in integers truncates decimals, taking the result closer to
+  // zero (a floor). Below zero, performing the division in integers truncates
+  // decimals, taking the result closer to zero (a ceil). The impact of this is
+  // that comparing two clamped values that should be related by a constant
+  // (e.g. 10s) that are across the zero barrier will no longer work. We need to
+  // round consistently towards positive infinity or negative infinity (we chose
+  // negative.) This can't be done with a truncation, it must be done with
+  // floor.
+  long long clamped =
+      floor(double(timeAsInt) / resolutionAsInt) * resolutionAsInt;
+
+  long long midpoint = 0;
+  long long clampedAndJittered = clamped;
+  if (!unconditionalClamping &&
+      StaticPrefs::privacy_resistFingerprinting_reduceTimerPrecision_jitter()) {
+    if (!NS_FAILED(RandomMidpoint(clamped, resolutionAsInt, aContextMixin,
+                                  &midpoint)) &&
+        timeAsInt >= clamped + midpoint) {
+      clampedAndJittered += resolutionAsInt;
+    }
+  }
+
+  // Cast it back to a double and reduce it to the correct units.
+  double ret = double(clampedAndJittered) / (1000000.0 / double(aTimeScale));
+
+  MOZ_LOG(
+      gResistFingerprintingLog, LogLevel::Verbose,
+      ("Given: (%.*f, Scaled: %.*f, Converted: %lli), Rounding %s with (%lli, "
+       "Originally %.*f), "
+       "Intermediate: (%lli), Clamped: (%lli) Jitter: (%i Context: %" PRId64
+       " Midpoint: %lli) "
+       "Final: (%lli Converted: %.*f)",
+       DBL_DIG - 1, aTime, DBL_DIG - 1, timeScaled, timeAsInt,
+       (unconditionalClamping ? "unconditionally" : "normally"),
+       resolutionAsInt, DBL_DIG - 1, aResolutionUSec,
+       (long long)floor(double(timeAsInt) / resolutionAsInt), clamped,
+       StaticPrefs::privacy_resistFingerprinting_reduceTimerPrecision_jitter(),
+       aContextMixin, midpoint, clampedAndJittered, DBL_DIG - 1, ret));
+
+  return ret;
+}
+
+/* static */
+double nsRFPService::ReduceTimePrecisionAsUSecs(double aTime,
+                                                int64_t aContextMixin,
+                                                RTPCallerType aRTPCallerType) {
+  const auto type = GetTimerPrecisionType(aRTPCallerType);
+  return nsRFPService::ReduceTimePrecisionImpl(aTime, MicroSeconds,
+                                               TimerResolution(aRTPCallerType),
+                                               aContextMixin, type);
+}
+
+/* static */
+double nsRFPService::ReduceTimePrecisionAsMSecs(double aTime,
+                                                int64_t aContextMixin,
+                                                RTPCallerType aRTPCallerType) {
+  const auto type = GetTimerPrecisionType(aRTPCallerType);
+  return nsRFPService::ReduceTimePrecisionImpl(aTime, MilliSeconds,
+                                               TimerResolution(aRTPCallerType),
+                                               aContextMixin, type);
+}
+
+/* static */
+double nsRFPService::ReduceTimePrecisionAsMSecsRFPOnly(
+    double aTime, int64_t aContextMixin, RTPCallerType aRTPCallerType) {
+  return nsRFPService::ReduceTimePrecisionImpl(
+      aTime, MilliSeconds, TimerResolution(aRTPCallerType), aContextMixin,
+      GetTimerPrecisionTypeRFPOnly(aRTPCallerType));
+}
+
+/* static */
+double nsRFPService::ReduceTimePrecisionAsSecs(double aTime,
+                                               int64_t aContextMixin,
+                                               RTPCallerType aRTPCallerType) {
+  const auto type = GetTimerPrecisionType(aRTPCallerType);
+  return nsRFPService::ReduceTimePrecisionImpl(
+      aTime, Seconds, TimerResolution(aRTPCallerType), aContextMixin, type);
+}
+
+/* static */
+double nsRFPService::ReduceTimePrecisionAsSecsRFPOnly(
+    double aTime, int64_t aContextMixin, RTPCallerType aRTPCallerType) {
+  return nsRFPService::ReduceTimePrecisionImpl(
+      aTime, Seconds, TimerResolution(aRTPCallerType), aContextMixin,
+      GetTimerPrecisionTypeRFPOnly(aRTPCallerType));
+}
+
+/* static */
+double nsRFPService::ReduceTimePrecisionAsUSecsWrapper(
+    double aTime, JS::RTPCallerTypeToken aCallerType, JSContext* aCx) {
+  MOZ_ASSERT(aCx);
+
+#ifdef DEBUG
+  nsCOMPtr<nsIGlobalObject> global = xpc::CurrentNativeGlobal(aCx);
+  MOZ_ASSERT(global->GetRTPCallerType() == RTPCallerTypeFromToken(aCallerType));
+#endif
+
+  RTPCallerType callerType = RTPCallerTypeFromToken(aCallerType);
+  return nsRFPService::ReduceTimePrecisionImpl(
+      aTime, MicroSeconds, TimerResolution(callerType),
+      0, /* For absolute timestamps (all the JS engine does), supply zero
+            context mixin */
+      GetTimerPrecisionType(callerType));
+}
+
+/* static */
+TimerPrecisionType nsRFPService::GetTimerPrecisionType(
+    RTPCallerType aRTPCallerType) {
+  if (aRTPCallerType == RTPCallerType::SystemPrincipal) {
+    return DangerouslyNone;
+  }
+
+  if (aRTPCallerType == RTPCallerType::ResistFingerprinting) {
+    return RFP;
+  }
+
+  if (StaticPrefs::privacy_reduceTimerPrecision() &&
+      aRTPCallerType == RTPCallerType::CrossOriginIsolated) {
+    return UnconditionalAKAHighRes;
+  }
+
+  if (StaticPrefs::privacy_reduceTimerPrecision()) {
+    return Normal;
+  }
+
+  if (StaticPrefs::privacy_reduceTimerPrecision_unconditional()) {
+    return UnconditionalAKAHighRes;
+  }
+
+  return DangerouslyNone;
+}
+
+/* static */
+TimerPrecisionType nsRFPService::GetTimerPrecisionTypeRFPOnly(
+    RTPCallerType aRTPCallerType) {
+  if (aRTPCallerType == RTPCallerType::ResistFingerprinting) {
+    return RFP;
+  }
+
+  if (StaticPrefs::privacy_reduceTimerPrecision_unconditional() &&
+      aRTPCallerType != RTPCallerType::SystemPrincipal) {
+    return UnconditionalAKAHighRes;
+  }
+
+  return DangerouslyNone;
+}
+
+/* static */
+void nsRFPService::TypeToText(TimerPrecisionType aType, nsACString& aText) {
+  switch (aType) {
+    case TimerPrecisionType::DangerouslyNone:
+      aText.AssignLiteral("DangerouslyNone");
+      return;
+    case TimerPrecisionType::Normal:
+      aText.AssignLiteral("Normal");
+      return;
+    case TimerPrecisionType::RFP:
+      aText.AssignLiteral("RFP");
+      return;
+    case TimerPrecisionType::UnconditionalAKAHighRes:
+      aText.AssignLiteral("UnconditionalAKAHighRes");
+      return;
+    default:
+      MOZ_ASSERT(false, "Shouldn't go here");
+      aText.AssignLiteral("Unknown Enum Value");
+      return;
+  }
+}
+
+// ============================================================================
+// ============================================================================
+// ============================================================================
+// Video Statistics Spoofing
+
+/* static */
+uint32_t nsRFPService::CalculateTargetVideoResolution(uint32_t aVideoQuality) {
+  return aVideoQuality * NSToIntCeil(aVideoQuality * 16 / 9.0);
+}
+
+/* static */
+uint32_t nsRFPService::GetSpoofedTotalFrames(double aTime) {
+  double precision =
+      TimerResolution(RTPCallerType::ResistFingerprinting) / 1000 / 1000;
+  double time = floor(aTime / precision) * precision;
+
+  return NSToIntFloor(time * kVideoFramesPerSec);
+}
+
+/* static */
+uint32_t nsRFPService::GetSpoofedDroppedFrames(double aTime, uint32_t aWidth,
+                                               uint32_t aHeight) {
+  uint32_t targetRes = CalculateTargetVideoResolution(
+      StaticPrefs::privacy_resistFingerprinting_target_video_res());
+
+  // The video resolution is less than or equal to the target resolution, we
+  // report a zero dropped rate for this case.
+  if (targetRes >= aWidth * aHeight) {
+    return 0;
+  }
+
+  double precision =
+      TimerResolution(RTPCallerType::ResistFingerprinting) / 1000 / 1000;
+  double time = floor(aTime / precision) * precision;
+  // Bound the dropped ratio from 0 to 100.
+  uint32_t boundedDroppedRatio = std::min(kVideoDroppedRatio, 100U);
+
+  return NSToIntFloor(time * kVideoFramesPerSec *
+                      (boundedDroppedRatio / 100.0));
+}
+
+/* static */
+uint32_t nsRFPService::GetSpoofedPresentedFrames(double aTime, uint32_t aWidth,
+                                                 uint32_t aHeight) {
+  uint32_t targetRes = CalculateTargetVideoResolution(
+      StaticPrefs::privacy_resistFingerprinting_target_video_res());
+
+  // The target resolution is greater than the current resolution. For this
+  // case, there will be no dropped frames, so we report total frames directly.
+  if (targetRes >= aWidth * aHeight) {
+    return GetSpoofedTotalFrames(aTime);
+  }
+
+  double precision =
+      TimerResolution(RTPCallerType::ResistFingerprinting) / 1000 / 1000;
+  double time = floor(aTime / precision) * precision;
+  // Bound the dropped ratio from 0 to 100.
+  uint32_t boundedDroppedRatio = std::min(kVideoDroppedRatio, 100U);
+
+  return NSToIntFloor(time * kVideoFramesPerSec *
+                      ((100 - boundedDroppedRatio) / 100.0));
+}
+
+// ============================================================================
+// ============================================================================
+// ============================================================================
+// User-Agent/Version Stuff
+
+/* static */
+void nsRFPService::GetSpoofedUserAgent(nsACString& userAgent,
+                                       bool isForHTTPHeader) {
+  // This function generates the spoofed value of User Agent.
+  // We spoof the values of the platform and Firefox version, which could be
+  // used as fingerprinting sources to identify individuals.
+  // Reference of the format of User Agent:
+  // https://developer.mozilla.org/en-US/docs/Web/API/NavigatorID/userAgent
+  // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent
+
+  // These magic numbers are the lengths of the UA string literals below.
+  // Assume three-digit Firefox version numbers so we have room to grow.
+  size_t preallocatedLength =
+      13 +
+      (isForHTTPHeader ? mozilla::ArrayLength(SPOOFED_HTTP_UA_OS)
+                       : mozilla::ArrayLength(SPOOFED_UA_OS)) -
+      1 + 5 + 3 + 10 + mozilla::ArrayLength(LEGACY_UA_GECKO_TRAIL) - 1 + 9 + 3 +
+      2;
+  userAgent.SetCapacity(preallocatedLength);
+
+  // "Mozilla/5.0 (%s; rv:%d.0) Gecko/%d Firefox/%d.0"
+  userAgent.AssignLiteral("Mozilla/5.0 (");
+
+  if (isForHTTPHeader) {
+    userAgent.AppendLiteral(SPOOFED_HTTP_UA_OS);
+  } else {
+    userAgent.AppendLiteral(SPOOFED_UA_OS);
+  }
+
+  userAgent.AppendLiteral("; rv:" MOZILLA_UAVERSION ") Gecko/");
+
+#if defined(ANDROID)
+  userAgent.AppendLiteral(MOZILLA_UAVERSION);
+#else
+  userAgent.AppendLiteral(LEGACY_UA_GECKO_TRAIL);
+#endif
+
+  userAgent.AppendLiteral(" Firefox/" MOZILLA_UAVERSION);
+
+  MOZ_ASSERT(userAgent.Length() <= preallocatedLength);
+}
+
+/* static */
+nsCString nsRFPService::GetSpoofedJSLocale() { return "en-US"_ns; }
+
+// ============================================================================
+// ============================================================================
+// ============================================================================
+// Keyboard Spoofing Stuff
+
+nsTHashMap<KeyboardHashKey, const SpoofingKeyboardCode*>*
+    nsRFPService::sSpoofingKeyboardCodes = nullptr;
+
+KeyboardHashKey::KeyboardHashKey(const KeyboardLangs aLang,
+                                 const KeyboardRegions aRegion,
+                                 const KeyNameIndexType aKeyIdx,
+                                 const nsAString& aKey)
+    : mLang(aLang), mRegion(aRegion), mKeyIdx(aKeyIdx), mKey(aKey) {}
+
+KeyboardHashKey::KeyboardHashKey(KeyTypePointer aOther)
+    : mLang(aOther->mLang),
+      mRegion(aOther->mRegion),
+      mKeyIdx(aOther->mKeyIdx),
+      mKey(aOther->mKey) {}
+
+KeyboardHashKey::KeyboardHashKey(KeyboardHashKey&& aOther) noexcept
+    : PLDHashEntryHdr(std::move(aOther)),
+      mLang(std::move(aOther.mLang)),
+      mRegion(std::move(aOther.mRegion)),
+      mKeyIdx(std::move(aOther.mKeyIdx)),
+      mKey(std::move(aOther.mKey)) {}
+
+KeyboardHashKey::~KeyboardHashKey() = default;
+
+bool KeyboardHashKey::KeyEquals(KeyTypePointer aOther) const {
+  return mLang == aOther->mLang && mRegion == aOther->mRegion &&
+         mKeyIdx == aOther->mKeyIdx && mKey == aOther->mKey;
+}
+
+KeyboardHashKey::KeyTypePointer KeyboardHashKey::KeyToPointer(KeyType aKey) {
+  return &aKey;
+}
+
+PLDHashNumber KeyboardHashKey::HashKey(KeyTypePointer aKey) {
+  PLDHashNumber hash = mozilla::HashString(aKey->mKey);
+  return mozilla::AddToHash(hash, aKey->mRegion, aKey->mKeyIdx, aKey->mLang);
+}
+
+/* static */
+void nsRFPService::MaybeCreateSpoofingKeyCodes(const KeyboardLangs aLang,
+                                               const KeyboardRegions aRegion) {
+  if (sSpoofingKeyboardCodes == nullptr) {
+    sSpoofingKeyboardCodes =
+        new nsTHashMap<KeyboardHashKey, const SpoofingKeyboardCode*>();
+  }
+
+  if (KeyboardLang::EN == aLang) {
+    switch (aRegion) {
+      case KeyboardRegion::US:
+        MaybeCreateSpoofingKeyCodesForEnUS();
+        break;
+    }
+  }
+}
+
+/* static */
+void nsRFPService::MaybeCreateSpoofingKeyCodesForEnUS() {
+  MOZ_ASSERT(sSpoofingKeyboardCodes);
+
+  static bool sInitialized = false;
+  const KeyboardLangs lang = KeyboardLang::EN;
+  const KeyboardRegions reg = KeyboardRegion::US;
+
+  if (sInitialized) {
+    return;
+  }
+
+  static const SpoofingKeyboardInfo spoofingKeyboardInfoTable[] = {
+#define KEY(key_, _codeNameIdx, _keyCode, _modifier) \
+  {NS_LITERAL_STRING_FROM_CSTRING(key_),             \
+   KEY_NAME_INDEX_USE_STRING,                        \
+   {CODE_NAME_INDEX_##_codeNameIdx, _keyCode, _modifier}},
+#define CONTROL(keyNameIdx_, _codeNameIdx, _keyCode) \
+  {u""_ns,                                           \
+   KEY_NAME_INDEX_##keyNameIdx_,                     \
+   {CODE_NAME_INDEX_##_codeNameIdx, _keyCode, MODIFIER_NONE}},
+#include "KeyCodeConsensus_En_US.h"
+#undef CONTROL
+#undef KEY
+  };
+
+  for (const auto& keyboardInfo : spoofingKeyboardInfoTable) {
+    KeyboardHashKey key(lang, reg, keyboardInfo.mKeyIdx, keyboardInfo.mKey);
+    MOZ_ASSERT(!sSpoofingKeyboardCodes->Contains(key),
+               "Double-defining key code; fix your KeyCodeConsensus file");
+    sSpoofingKeyboardCodes->InsertOrUpdate(key, &keyboardInfo.mSpoofingCode);
+  }
+
+  sInitialized = true;
+}
+
+/* static */
+void nsRFPService::GetKeyboardLangAndRegion(const nsAString& aLanguage,
+                                            KeyboardLangs& aLocale,
+                                            KeyboardRegions& aRegion) {
+  nsAutoString langStr;
+  nsAutoString regionStr;
+  uint32_t partNum = 0;
+
+  for (const nsAString& part : aLanguage.Split('-')) {
+    if (partNum == 0) {
+      langStr = part;
+    } else {
+      regionStr = part;
+      break;
+    }
+
+    partNum++;
+  }
+
+  // We test each language here as well as the region. There are some cases that
+  // only the language is given, we will use the default region code when this
+  // happens. The default region should depend on the given language.
+  if (langStr.EqualsLiteral(RFP_KEYBOARD_LANG_STRING_EN)) {
+    aLocale = KeyboardLang::EN;
+    // Give default values first.
+    aRegion = KeyboardRegion::US;
+
+    if (regionStr.EqualsLiteral(RFP_KEYBOARD_REGION_STRING_US)) {
+      aRegion = KeyboardRegion::US;
+    }
+  } else {
+    // There is no spoofed keyboard locale for the given language. We use the
+    // default one in this case.
+    aLocale = RFP_DEFAULT_SPOOFING_KEYBOARD_LANG;
+    aRegion = RFP_DEFAULT_SPOOFING_KEYBOARD_REGION;
+  }
+}
+
+/* static */
+bool nsRFPService::GetSpoofedKeyCodeInfo(
+    const dom::Document* aDoc, const WidgetKeyboardEvent* aKeyboardEvent,
+    SpoofingKeyboardCode& aOut) {
+  MOZ_ASSERT(aKeyboardEvent);
+
+  KeyboardLangs keyboardLang = RFP_DEFAULT_SPOOFING_KEYBOARD_LANG;
+  KeyboardRegions keyboardRegion = RFP_DEFAULT_SPOOFING_KEYBOARD_REGION;
+  // If the document is given, we use the content language which is get from the
+  // document. Otherwise, we use the default one.
+  if (aDoc) {
+    nsAtom* lang = aDoc->GetContentLanguage();
+
+    // If the content-langauge is not given, we try to get langauge from the
+    // HTML lang attribute.
+    if (!lang) {
+      if (dom::Element* elm = aDoc->GetHtmlElement()) {
+        lang = elm->GetLang();
+      }
+    }
+
+    // If two or more languages are given, per HTML5 spec, we should consider
+    // it as 'unknown'. So we use the default one.
+    if (lang) {
+      nsDependentAtomString langStr(lang);
+      if (!langStr.Contains(char16_t(','))) {
+        langStr.StripWhitespace();
+        GetKeyboardLangAndRegion(langStr, keyboardLang, keyboardRegion);
+      }
+    }
+  }
+
+  MaybeCreateSpoofingKeyCodes(keyboardLang, keyboardRegion);
+
+  KeyNameIndex keyIdx = aKeyboardEvent->mKeyNameIndex;
+  nsAutoString keyName;
+
+  if (keyIdx == KEY_NAME_INDEX_USE_STRING) {
+    keyName = aKeyboardEvent->mKeyValue;
+  }
+
+  KeyboardHashKey key(keyboardLang, keyboardRegion, keyIdx, keyName);
+  const SpoofingKeyboardCode* keyboardCode = sSpoofingKeyboardCodes->Get(key);
+
+  if (keyboardCode != nullptr) {
+    aOut = *keyboardCode;
+    return true;
+  }
+
+  return false;
+}
+
+/* static */
+bool nsRFPService::GetSpoofedModifierStates(
+    const dom::Document* aDoc, const WidgetKeyboardEvent* aKeyboardEvent,
+    const Modifiers aModifier, bool& aOut) {
+  MOZ_ASSERT(aKeyboardEvent);
+
+  // For modifier or control keys, we don't need to hide its modifier states.
+  if (aKeyboardEvent->mKeyNameIndex != KEY_NAME_INDEX_USE_STRING) {
+    return false;
+  }
+
+  // We will spoof the modifer state for Alt, Shift, and AltGraph.
+  // We don't spoof the Control key, because it is often used
+  // for command key combinations in web apps.
+  if ((aModifier & (MODIFIER_ALT | MODIFIER_SHIFT | MODIFIER_ALTGRAPH)) != 0) {
+    SpoofingKeyboardCode keyCodeInfo;
+
+    if (GetSpoofedKeyCodeInfo(aDoc, aKeyboardEvent, keyCodeInfo)) {
+      aOut = ((keyCodeInfo.mModifierStates & aModifier) != 0);
+      return true;
+    }
+  }
+
+  return false;
+}
+
+/* static */
+bool nsRFPService::GetSpoofedCode(const dom::Document* aDoc,
+                                  const WidgetKeyboardEvent* aKeyboardEvent,
+                                  nsAString& aOut) {
+  MOZ_ASSERT(aKeyboardEvent);
+
+  SpoofingKeyboardCode keyCodeInfo;
+
+  if (!GetSpoofedKeyCodeInfo(aDoc, aKeyboardEvent, keyCodeInfo)) {
+    return false;
+  }
+
+  WidgetKeyboardEvent::GetDOMCodeName(keyCodeInfo.mCode, aOut);
+
+  // We need to change the 'Left' with 'Right' if the location indicates
+  // it's a right key.
+  if (aKeyboardEvent->mLocation ==
+          dom::KeyboardEvent_Binding::DOM_KEY_LOCATION_RIGHT &&
+      StringEndsWith(aOut, u"Left"_ns)) {
+    aOut.ReplaceLiteral(aOut.Length() - 4, 4, u"Right");
+  }
+
+  return true;
+}
+
+/* static */
+bool nsRFPService::GetSpoofedKeyCode(const dom::Document* aDoc,
+                                     const WidgetKeyboardEvent* aKeyboardEvent,
+                                     uint32_t& aOut) {
+  MOZ_ASSERT(aKeyboardEvent);
+
+  SpoofingKeyboardCode keyCodeInfo;
+
+  if (GetSpoofedKeyCodeInfo(aDoc, aKeyboardEvent, keyCodeInfo)) {
+    aOut = keyCodeInfo.mKeyCode;
+    return true;
+  }
+
+  return false;
+}
+
+// ============================================================================
+// ============================================================================
+// ============================================================================
+// Randomization Stuff
+nsresult nsRFPService::GetBrowsingSessionKey(
+    const OriginAttributes& aOriginAttributes, nsID& aBrowsingSessionKey) {
+  MOZ_ASSERT(XRE_IsParentProcess());
+
+  nsAutoCString oaSuffix;
+  aOriginAttributes.CreateSuffix(oaSuffix);
+
+  MOZ_LOG(gResistFingerprintingLog, LogLevel::Info,
+          ("Get the browsing session key for the originAttributes: %s\n",
+           oaSuffix.get()));
+
+  // If any fingerprinting randomization protection is enabled, we generate the
+  // browsing session key.
+  // Note that there is only canvas randomization protection currently.
+  if (!nsContentUtils::ShouldResistFingerprinting(
+          "Checking the target activation globally without local context",
+          RFPTarget::CanvasRandomization)) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
+  Maybe<nsID> sessionKey = mBrowsingSessionKeys.MaybeGet(oaSuffix);
+
+  // The key has been generated, bail out earlier.
+  if (sessionKey) {
+    MOZ_LOG(gResistFingerprintingLog, LogLevel::Info,
+            ("The browsing session key exists: %s\n",
+             sessionKey.ref().ToString().get()));
+    aBrowsingSessionKey = sessionKey.ref();
+    return NS_OK;
+  }
+
+  nsID& newKey =
+      mBrowsingSessionKeys.InsertOrUpdate(oaSuffix, nsID::GenerateUUID());
+
+  MOZ_LOG(gResistFingerprintingLog, LogLevel::Debug,
+          ("Generated browsing session key: %s\n", newKey.ToString().get()));
+  aBrowsingSessionKey = newKey;
+
+  return NS_OK;
+}
+
+void nsRFPService::ClearBrowsingSessionKey(
+    const OriginAttributesPattern& aPattern) {
+  MOZ_ASSERT(XRE_IsParentProcess());
+
+  for (auto iter = mBrowsingSessionKeys.Iter(); !iter.Done(); iter.Next()) {
+    nsAutoCString key(iter.Key());
+    OriginAttributes attrs;
+    Unused << attrs.PopulateFromSuffix(key);
+
+    // Remove the entry if the origin attributes pattern matches
+    if (aPattern.Matches(attrs)) {
+      iter.Remove();
+    }
+  }
+}
+
+void nsRFPService::ClearBrowsingSessionKey(
+    const OriginAttributes& aOriginAttributes) {
+  MOZ_ASSERT(XRE_IsParentProcess());
+  nsAutoCString key;
+  aOriginAttributes.CreateSuffix(key);
+
+  mBrowsingSessionKeys.Remove(key);
+}
+
+// static
+Maybe<nsTArray<uint8_t>> nsRFPService::GenerateKey(nsIChannel* aChannel) {
+  MOZ_ASSERT(XRE_IsParentProcess());
+  MOZ_ASSERT(aChannel);
+
+#ifdef DEBUG
+  // Ensure we only compute random key for top-level loads.
+  {
+    nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
+    MOZ_ASSERT(loadInfo->GetExternalContentPolicyType() ==
+               ExtContentPolicy::TYPE_DOCUMENT);
+  }
+#endif
+
+  nsCOMPtr<nsIURI> topLevelURI;
+  Unused << aChannel->GetURI(getter_AddRefs(topLevelURI));
+
+  MOZ_LOG(gResistFingerprintingLog, LogLevel::Debug,
+          ("Generating the randomization key for top-level URI: %s\n",
+           topLevelURI->GetSpecOrDefault().get()));
+
+  RefPtr<nsRFPService> service = GetOrCreate();
+
+  nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
+  OriginAttributes attrs = loadInfo->GetOriginAttributes();
+
+  // Set the partitionKey using the top level URI to ensure that the key is
+  // specific to the top level site.
+  attrs.SetPartitionKey(topLevelURI);
+
+  nsAutoCString oaSuffix;
+  attrs.CreateSuffix(oaSuffix);
+
+  MOZ_LOG(gResistFingerprintingLog, LogLevel::Debug,
+          ("Get the key using OriginAttributes: %s\n", oaSuffix.get()));
+
+  nsID sessionKey = {};
+  if (NS_FAILED(service->GetBrowsingSessionKey(attrs, sessionKey))) {
+    return Nothing();
+  }
+
+  // Return nothing if fingerprinting randomization is disabled for the given
+  // channel.
+  //
+  // Note that canvas randomization is the only fingerprinting randomization
+  // protection currently.
+  if (!nsContentUtils::ShouldResistFingerprinting(
+          aChannel, RFPTarget::CanvasRandomization)) {
+    return Nothing();
+  }
+  auto sessionKeyStr = sessionKey.ToString();
+
+  // Generate the key by using the hMAC. The key is based on the session key and
+  // the partitionKey, i.e. top-level site.
+  HMAC hmac;
+
+  nsresult rv = hmac.Begin(
+      SEC_OID_SHA256,
+      Span(reinterpret_cast<const uint8_t*>(sessionKeyStr.get()), NSID_LENGTH));
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return Nothing();
+  }
+
+  // Using the OriginAttributes to get the top level site. The site is composed
+  // of scheme, host, and port.
+  NS_ConvertUTF16toUTF8 topLevelSite(attrs.mPartitionKey);
+  rv = hmac.Update(reinterpret_cast<const uint8_t*>(topLevelSite.get()),
+                   topLevelSite.Length());
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return Nothing();
+  }
+
+  Maybe<nsTArray<uint8_t>> key;
+  key.emplace();
+
+  rv = hmac.End(key.ref());
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    return Nothing();
+  }
+
+  return key;
+}
+
+NS_IMETHODIMP
+nsRFPService::CleanAllRandomKeys() {
+  MOZ_ASSERT(XRE_IsParentProcess());
+  mBrowsingSessionKeys.Clear();
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+nsRFPService::CleanRandomKeyByPrincipal(nsIPrincipal* aPrincipal) {
+  MOZ_ASSERT(XRE_IsParentProcess());
+  NS_ENSURE_ARG_POINTER(aPrincipal);
+  NS_ENSURE_TRUE(aPrincipal->GetIsContentPrincipal(), NS_ERROR_FAILURE);
+
+  OriginAttributes attrs = aPrincipal->OriginAttributesRef();
+  nsCOMPtr<nsIURI> uri = aPrincipal->GetURI();
+  attrs.SetPartitionKey(uri);
+
+  ClearBrowsingSessionKey(attrs);
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+nsRFPService::CleanRandomKeyByDomain(const nsACString& aDomain) {
+  MOZ_ASSERT(XRE_IsParentProcess());
+
+  // Get http URI from the domain.
+  nsCOMPtr<nsIURI> httpURI;
+  nsresult rv = NS_NewURI(getter_AddRefs(httpURI), "http://"_ns + aDomain);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  // Use the originAttributes to get the partitionKey.
+  OriginAttributes attrs;
+  attrs.SetPartitionKey(httpURI);
+
+  // Create a originAttributesPattern and set the http partitionKey to the
+  // pattern.
+  OriginAttributesPattern pattern;
+  pattern.mPartitionKey.Reset();
+  pattern.mPartitionKey.Construct(attrs.mPartitionKey);
+
+  ClearBrowsingSessionKey(pattern);
+
+  // Get https URI from the domain.
+  nsCOMPtr<nsIURI> httpsURI;
+  rv = NS_NewURI(getter_AddRefs(httpsURI), "https://"_ns + aDomain);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  // Use the originAttributes to get the partitionKey and set to the pattern.
+  attrs.SetPartitionKey(httpsURI);
+  pattern.mPartitionKey.Reset();
+  pattern.mPartitionKey.Construct(attrs.mPartitionKey);
+
+  ClearBrowsingSessionKey(pattern);
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+nsRFPService::CleanRandomKeyByHost(const nsACString& aHost,
+                                   const nsAString& aPattern) {
+  MOZ_ASSERT(XRE_IsParentProcess());
+
+  OriginAttributesPattern pattern;
+  if (!pattern.Init(aPattern)) {
+    return NS_ERROR_INVALID_ARG;
+  }
+
+  // Get http URI from the host.
+  nsCOMPtr<nsIURI> httpURI;
+  nsresult rv = NS_NewURI(getter_AddRefs(httpURI), "http://"_ns + aHost);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  // Use the originAttributes to get the partitionKey.
+  OriginAttributes attrs;
+  attrs.SetPartitionKey(httpURI);
+
+  // Set the partitionKey to the pattern.
+  pattern.mPartitionKey.Reset();
+  pattern.mPartitionKey.Construct(attrs.mPartitionKey);
+
+  ClearBrowsingSessionKey(pattern);
+
+  // Get https URI from the host.
+  nsCOMPtr<nsIURI> httpsURI;
+  rv = NS_NewURI(getter_AddRefs(httpsURI), "https://"_ns + aHost);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  // Use the originAttributes to get the partitionKey and set to the pattern.
+  attrs.SetPartitionKey(httpsURI);
+  pattern.mPartitionKey.Reset();
+  pattern.mPartitionKey.Construct(attrs.mPartitionKey);
+
+  ClearBrowsingSessionKey(pattern);
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+nsRFPService::CleanRandomKeyByOriginAttributesPattern(
+    const nsAString& aPattern) {
+  MOZ_ASSERT(XRE_IsParentProcess());
+
+  OriginAttributesPattern pattern;
+  if (!pattern.Init(aPattern)) {
+    return NS_ERROR_INVALID_ARG;
+  }
+
+  ClearBrowsingSessionKey(pattern);
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+nsRFPService::TestGenerateRandomKey(nsIChannel* aChannel,
+                                    nsTArray<uint8_t>& aKey) {
+  MOZ_ASSERT(XRE_IsParentProcess());
+  NS_ENSURE_ARG_POINTER(aChannel);
+
+  Maybe<nsTArray<uint8_t>> key = GenerateKey(aChannel);
+
+  if (!key) {
+    return NS_OK;
+  }
+
+  aKey = key.ref().Clone();
+  return NS_OK;
+}
+
+// static
+nsresult nsRFPService::GenerateCanvasKeyFromImageData(
+    nsICookieJarSettings* aCookieJarSettings, uint8_t* aImageData,
+    uint32_t aSize, nsTArray<uint8_t>& aCanvasKey) {
+  NS_ENSURE_ARG_POINTER(aCookieJarSettings);
+
+  nsTArray<uint8_t> randomKey;
+  nsresult rv =
+      aCookieJarSettings->GetFingerprintingRandomizationKey(randomKey);
+
+  // There is no random key for this cookieJarSettings. This means that the
+  // randomization is disabled. So, we can bail out from here without doing
+  // anything.
+  if (NS_FAILED(rv)) {
+    return NS_ERROR_FAILURE;
+  }
+
+  // Generate the key for randomizing the canvas data using hMAC. The key is
+  // based on the random key of the document and the canvas data itself. So,
+  // different canvas would have different keys.
+  HMAC hmac;
+
+  rv = hmac.Begin(SEC_OID_SHA256, Span(randomKey));
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  rv = hmac.Update(aImageData, aSize);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  rv = hmac.End(aCanvasKey);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  return NS_OK;
+}
+
+// static
+nsresult nsRFPService::RandomizePixels(nsICookieJarSettings* aCookieJarSettings,
+                                       uint8_t* aData, uint32_t aWidth,
+                                       uint32_t aHeight, uint32_t aSize,
+                                       gfx::SurfaceFormat aSurfaceFormat) {
+  NS_ENSURE_ARG_POINTER(aData);
+
+  if (!aCookieJarSettings) {
+    return NS_OK;
+  }
+
+  if (aSize <= 4) {
+    return NS_OK;
+  }
+
+  // Don't randomize if all pixels are uniform.
+  static constexpr size_t bytesPerPixel = 4;
+  MOZ_ASSERT(aSize == aWidth * aHeight * bytesPerPixel,
+             "Pixels must be tightly-packed");
+  const bool allPixelsMatch = [&]() {
+    auto itr = RangedPtr<const uint8_t>(aData, aSize);
+    const auto itrEnd = itr + aSize;
+    for (; itr != itrEnd; itr += bytesPerPixel) {
+      if (memcmp(itr.get(), aData, bytesPerPixel) != 0) {
+        return false;
+      }
+    }
+    return true;
+  }();
+  if (allPixelsMatch) {
+    return NS_OK;
+  }
+
+  auto timerId =
+      glean::fingerprinting_protection::canvas_noise_calculate_time.Start();
+
+  nsTArray<uint8_t> canvasKey;
+  nsresult rv = GenerateCanvasKeyFromImageData(aCookieJarSettings, aData, aSize,
+                                               canvasKey);
+  if (NS_FAILED(rv)) {
+    glean::fingerprinting_protection::canvas_noise_calculate_time.Cancel(
+        std::move(timerId));
+    return rv;
+  }
+
+  // Calculate the number of pixels based on the given data size. One pixel uses
+  // 4 bytes that contains ARGB information.
+  uint32_t pixelCnt = aSize / 4;
+
+  // Generate random values that will decide the RGB channel and the pixel
+  // position that we are going to introduce the noises. The channel and
+  // position are predictable to ensure we have a consistant result with the
+  // same canvas in the same browsing session.
+
+  // Seed and create the first random number generator which will be used to
+  // select RGB channel and the pixel position. The seed is the first half of
+  // the canvas key.
+  non_crypto::XorShift128PlusRNG rng1(
+      *reinterpret_cast<uint64_t*>(canvasKey.Elements()),
+      *reinterpret_cast<uint64_t*>(canvasKey.Elements() + 8));
+
+  // Use the last 8 bits as the number of noises.
+  uint8_t rnd3 = canvasKey.LastElement();
+
+  // Clear the last 8 bits.
+  canvasKey.ReplaceElementAt(canvasKey.Length() - 1, 0);
+
+  // Use the remaining 120 bits to seed and create the second random number
+  // generator. The random number will be used to decided the noise bit that
+  // will be added to the lowest order bit of the channel of the pixel.
+  non_crypto::XorShift128PlusRNG rng2(
+      *reinterpret_cast<uint64_t*>(canvasKey.Elements() + 16),
+      *reinterpret_cast<uint64_t*>(canvasKey.Elements() + 24));
+
+  // Ensure at least 20 random changes may occur.
+  uint8_t numNoises = std::clamp<uint8_t>(rnd3, 20, 255);
+
+#ifdef __clang__
+#  pragma clang diagnostic push
+#  pragma clang diagnostic ignored "-Wunreachable-code"
+#endif
+  if (false) {
+    // For debugging purposes you can dump the image with this code
+    // then convert it with the image-magick command
+    // convert -size WxH -depth 8 rgba:$i $i.png
+    // Depending on surface format, the alpha and color channels might be mixed
+    // up...
+    static int calls = 0;
+    char filename[256];
+    SprintfLiteral(filename, "rendered_image_%dx%d_%d_pre", aWidth, aHeight,
+                   calls);
+    FILE* outputFile = fopen(filename, "wb");  // "wb" for binary write mode
+    fwrite(aData, 1, aSize, outputFile);
+    fclose(outputFile);
+    calls++;
+  }
+#ifdef __clang__
+#  pragma clang diagnostic pop
+#endif
+
+  while (numNoises--) {
+    // Choose which RGB channel to add a noise. The pixel data is in either
+    // the BGRA or the ARGB format depending on the endianess. To choose the
+    // color channel we need to add the offset according the endianess.
+    uint32_t channel;
+    if (aSurfaceFormat == gfx::SurfaceFormat::B8G8R8A8) {
+      channel = rng1.next() % 3;
+    } else if (aSurfaceFormat == gfx::SurfaceFormat::A8R8G8B8) {
+      channel = rng1.next() % 3 + 1;
+    } else {
+      return NS_ERROR_INVALID_ARG;
+    }
+
+    uint32_t idx = 4 * (rng1.next() % pixelCnt) + channel;
+    uint8_t bit = rng2.next();
+
+    // 50% chance to XOR a 0x2 or 0x1 into the existing byte
+    aData[idx] = aData[idx] ^ (0x2 >> (bit & 0x1));
+  }
+
+  glean::fingerprinting_protection::canvas_noise_calculate_time
+      .StopAndAccumulate(std::move(timerId));
+
+  return NS_OK;
+}
+
+static const char* CanvasFingerprinterToString(
+    ContentBlockingNotifier::CanvasFingerprinter aFingerprinter) {
+  switch (aFingerprinter) {
+    case ContentBlockingNotifier::CanvasFingerprinter::eFingerprintJS:
+      return "FingerprintJS";
+    case ContentBlockingNotifier::CanvasFingerprinter::eAkamai:
+      return "Akamai";
+    case ContentBlockingNotifier::CanvasFingerprinter::eVariant1:
+      return "Variant1";
+    case ContentBlockingNotifier::CanvasFingerprinter::eVariant2:
+      return "Variant2";
+    case ContentBlockingNotifier::CanvasFingerprinter::eVariant3:
+      return "Variant3";
+    case ContentBlockingNotifier::CanvasFingerprinter::eVariant4:
+      return "Variant4";
+    case ContentBlockingNotifier::CanvasFingerprinter::eMaybe:
+      return "Maybe";
+  }
+  return "<error>";
+}
+
+static void MaybeCurrentCaller(nsACString& aFilename, uint32_t& aLineNum,
+                               uint32_t& aColumnNum) {
+  aFilename.AssignLiteral("<unknown>");
+
+  JSContext* cx = nsContentUtils::GetCurrentJSContext();
+  if (!cx) {
+    return;
+  }
+
+  JS::AutoFilename scriptFilename;
+  JS::ColumnNumberOneOrigin columnNum;
+  if (JS::DescribeScriptedCaller(cx, &scriptFilename, &aLineNum, &columnNum)) {
+    if (const char* file = scriptFilename.get()) {
+      aFilename = nsDependentCString(file);
+    }
+  }
+  aColumnNum = columnNum.oneOriginValue();
+}
+
+/* static */ void nsRFPService::MaybeReportCanvasFingerprinter(
+    nsTArray<CanvasUsage>& aUses, nsIChannel* aChannel,
+    nsACString& aOriginNoSuffix) {
+  if (!aChannel) {
+    return;
+  }
+
+  uint32_t extractedWebGL = 0;
+  bool seenExtractedWebGL_300x150 = false;
+
+  uint32_t extracted2D = 0;
+  bool seenExtracted2D_16x16 = false;
+  bool seenExtracted2D_122x110 = false;
+  bool seenExtracted2D_240x60 = false;
+  bool seenExtracted2D_280x60 = false;
+  bool seenExtracted2D_860x6 = false;
+  CanvasFeatureUsage featureUsage = CanvasFeatureUsage::None;
+
+  uint32_t extractedOther = 0;
+
+  for (const auto& usage : aUses) {
+    int32_t width = usage.mSize.width;
+    int32_t height = usage.mSize.height;
+
+    if (width > 2000 || height > 1000) {
+      // Canvases used for fingerprinting are usually relatively small.
+      continue;
+    }
+
+    if (usage.mType == dom::CanvasContextType::Canvas2D) {
+      featureUsage |= usage.mFeatureUsage;
+      extracted2D++;
+      if (width == 16 && height == 16) {
+        seenExtracted2D_16x16 = true;
+      } else if (width == 240 && height == 60) {
+        seenExtracted2D_240x60 = true;
+      } else if (width == 122 && height == 110) {
+        seenExtracted2D_122x110 = true;
+      } else if (width == 280 && height == 60) {
+        seenExtracted2D_280x60 = true;
+      } else if (width == 860 && height == 6) {
+        seenExtracted2D_860x6 = true;
+      }
+    } else if (usage.mType == dom::CanvasContextType::WebGL1) {
+      extractedWebGL++;
+      if (width == 300 && height == 150) {
+        seenExtractedWebGL_300x150 = true;
+      }
+    } else {
+      extractedOther++;
+    }
+  }
+
+  Maybe<ContentBlockingNotifier::CanvasFingerprinter> fingerprinter;
+  if (seenExtractedWebGL_300x150 && seenExtracted2D_240x60 &&
+      seenExtracted2D_122x110) {
+    fingerprinter =
+        Some(ContentBlockingNotifier::CanvasFingerprinter::eFingerprintJS);
+  } else if (seenExtractedWebGL_300x150 && seenExtracted2D_280x60 &&
+             seenExtracted2D_16x16) {
+    fingerprinter = Some(ContentBlockingNotifier::CanvasFingerprinter::eAkamai);
+  } else if (seenExtractedWebGL_300x150 && extracted2D > 0 &&
+             (featureUsage & CanvasFeatureUsage::SetFont)) {
+    fingerprinter =
+        Some(ContentBlockingNotifier::CanvasFingerprinter::eVariant1);
+  } else if (extractedWebGL > 0 && extracted2D > 1 && seenExtracted2D_860x6) {
+    fingerprinter =
+        Some(ContentBlockingNotifier::CanvasFingerprinter::eVariant2);
+  } else if (extractedOther > 0 && (extractedWebGL > 0 || extracted2D > 0)) {
+    fingerprinter =
+        Some(ContentBlockingNotifier::CanvasFingerprinter::eVariant3);
+  } else if (extracted2D > 0 && (featureUsage & CanvasFeatureUsage::SetFont) &&
+             (featureUsage &
+              (CanvasFeatureUsage::FillRect | CanvasFeatureUsage::LineTo |
+               CanvasFeatureUsage::Stroke))) {
+    fingerprinter =
+        Some(ContentBlockingNotifier::CanvasFingerprinter::eVariant4);
+  } else if (extractedOther + extractedWebGL + extracted2D > 1) {
+    // This I added primarily to not miss anything, but it can cause false
+    // positives.
+    fingerprinter = Some(ContentBlockingNotifier::CanvasFingerprinter::eMaybe);
+  }
+
+  bool knownFingerprintText =
+      bool(featureUsage & CanvasFeatureUsage::KnownFingerprintText);
+  if (!knownFingerprintText && fingerprinter.isNothing()) {
+    return;
+  }
+
+  if (MOZ_LOG_TEST(gFingerprinterDetection, LogLevel::Info)) {
+    nsAutoCString filename;
+    uint32_t lineNum = 0;
+    uint32_t columnNum = 0;
+    MaybeCurrentCaller(filename, lineNum, columnNum);
+
+    nsAutoCString origin(aOriginNoSuffix);
+    MOZ_LOG(
+        gFingerprinterDetection, LogLevel::Info,
+        ("Detected a potential canvas fingerprinter on %s in script %s:%d:%d "
+         "(KnownFingerprintText: %s, CanvasFingerprinter: %s)",
+         origin.get(), filename.get(), lineNum, columnNum,
+         knownFingerprintText ? "true" : "false",
+         fingerprinter.isSome()
+             ? CanvasFingerprinterToString(fingerprinter.value())
+             : "<none>"));
+  }
+
+  ContentBlockingNotifier::OnEvent(
+      aChannel, false,
+      nsIWebProgressListener::STATE_ALLOWED_CANVAS_FINGERPRINTING,
+      aOriginNoSuffix, Nothing(), fingerprinter,
+      Some(featureUsage & CanvasFeatureUsage::KnownFingerprintText));
+}
+
+/* static */ void nsRFPService::MaybeReportFontFingerprinter(
+    nsIChannel* aChannel, nsACString& aOriginNoSuffix) {
+  if (!aChannel) {
+    return;
+  }
+
+  if (MOZ_LOG_TEST(gFingerprinterDetection, LogLevel::Info)) {
+    nsAutoCString filename;
+    uint32_t lineNum = 0;
+    uint32_t columnNum = 0;
+    MaybeCurrentCaller(filename, lineNum, columnNum);
+
+    nsAutoCString origin(aOriginNoSuffix);
+    MOZ_LOG(gFingerprinterDetection, LogLevel::Info,
+            ("Detected a potential font fingerprinter on %s in script %s:%d:%d",
+             origin.get(), filename.get(), lineNum, columnNum));
+  }
+
+  ContentBlockingNotifier::OnEvent(
+      aChannel, false,
+      nsIWebProgressListener::STATE_ALLOWED_FONT_FINGERPRINTING,
+      aOriginNoSuffix);
+}
+
+/* static */
+bool nsRFPService::CheckSuspiciousFingerprintingActivity(
+    nsTArray<ContentBlockingLog::LogEntry>& aLogs) {
+  if (aLogs.Length() == 0) {
+    return false;
+  }
+
+  uint32_t cnt = 0;
+  // We use these two booleans to prevent counting duplicated fingerprinting
+  // events.
+  bool foundCanvas = false;
+  bool foundFont = false;
+
+  // Iterate through the logs to see if there are suspicious fingerprinting
+  // activities.
+  for (auto& log : aLogs) {
+    // If it's a known canvas fingerprinter, we can directly return true from
+    // here.
+    if (log.mCanvasFingerprinter &&
+        (log.mCanvasFingerprinter.ref() ==
+             ContentBlockingNotifier::CanvasFingerprinter::eFingerprintJS ||
+         log.mCanvasFingerprinter.ref() ==
+             ContentBlockingNotifier::CanvasFingerprinter::eAkamai)) {
+      return true;
+    } else if (!foundCanvas && log.mType ==
+                                   nsIWebProgressListener::
+                                       STATE_ALLOWED_CANVAS_FINGERPRINTING) {
+      cnt++;
+      foundCanvas = true;
+    } else if (!foundFont &&
+               log.mType ==
+                   nsIWebProgressListener::STATE_ALLOWED_FONT_FINGERPRINTING) {
+      cnt++;
+      foundFont = true;
+    }
+  }
+
+  // If the number of suspicious fingerprinting activity exceeds the threshold,
+  // we return true to indicates there is a suspicious fingerprinting activity.
+  return cnt > kSuspiciousFingerprintingActivityThreshold;
+}
+
+/* static */
+nsresult nsRFPService::CreateOverrideDomainKey(
+    nsIFingerprintingOverride* aOverride, nsACString& aDomainKey) {
+  MOZ_ASSERT(aOverride);
+
+  aDomainKey.Truncate();
+
+  nsAutoCString firstPartyDomain;
+  nsresult rv = aOverride->GetFirstPartyDomain(firstPartyDomain);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  // The first party domain shouldn't be empty. And it shouldn't contain a comma
+  // because we use a comma as a delimiter.
+  if (firstPartyDomain.IsEmpty() ||
+      firstPartyDomain.Contains(FP_OVERRIDES_DOMAIN_KEY_DELIMITER)) {
+    return NS_ERROR_FAILURE;
+  }
+
+  nsAutoCString thirdPartyDomain;
+  rv = aOverride->GetThirdPartyDomain(thirdPartyDomain);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  // We don't accept both domains are wildcards.
+  if (firstPartyDomain.EqualsLiteral("*") &&
+      thirdPartyDomain.EqualsLiteral("*")) {
+    return NS_ERROR_FAILURE;
+  }
+
+  if (thirdPartyDomain.IsEmpty()) {
+    aDomainKey.Assign(firstPartyDomain);
+  } else {
+    // Ensure the third-party domain doesn't contain a delimiter.
+    if (thirdPartyDomain.Contains(FP_OVERRIDES_DOMAIN_KEY_DELIMITER)) {
+      return NS_ERROR_FAILURE;
+    }
+
+    aDomainKey.Assign(firstPartyDomain);
+    aDomainKey.Append(FP_OVERRIDES_DOMAIN_KEY_DELIMITER);
+    aDomainKey.Append(thirdPartyDomain);
+  }
+
+  return NS_OK;
+}
+
+/* static */
+RFPTarget nsRFPService::CreateOverridesFromText(const nsString& aOverridesText,
+                                                RFPTarget aBaseOverrides) {
+  RFPTarget result = aBaseOverrides;
+
+  for (const nsAString& each : aOverridesText.Split(',')) {
+    Maybe<RFPTarget> mappedValue =
+        nsRFPService::TextToRFPTarget(Substring(each, 1, each.Length() - 1));
+    if (mappedValue.isSome()) {
+      RFPTarget target = mappedValue.value();
+      if (target == RFPTarget::IsAlwaysEnabledForPrecompute) {
+        MOZ_LOG(gResistFingerprintingLog, LogLevel::Warning,
+                ("RFPTarget::%s is not a valid value",
+                 NS_ConvertUTF16toUTF8(each).get()));
+      } else if (each[0] == '+') {
+        result |= target;
+        MOZ_LOG(gResistFingerprintingLog, LogLevel::Warning,
+                ("Mapped value %s (0x%" PRIx64
+                 "), to an addition, now we have 0x%" PRIx64,
+                 NS_ConvertUTF16toUTF8(each).get(), uint64_t(target),
+                 uint64_t(result)));
+      } else if (each[0] == '-') {
+        result &= ~target;
+        MOZ_LOG(gResistFingerprintingLog, LogLevel::Warning,
+                ("Mapped value %s (0x%" PRIx64
+                 ") to a subtraction, now we have 0x%" PRIx64,
+                 NS_ConvertUTF16toUTF8(each).get(), uint64_t(target),
+                 uint64_t(result)));
+      } else {
+        MOZ_LOG(gResistFingerprintingLog, LogLevel::Warning,
+                ("Mapped value %s (0x%" PRIx64
+                 ") to an RFPTarget Enum, but the first "
+                 "character wasn't + or -",
+                 NS_ConvertUTF16toUTF8(each).get(), uint64_t(target)));
+      }
+    } else {
+      MOZ_LOG(gResistFingerprintingLog, LogLevel::Warning,
+              ("Could not map the value %s to an RFPTarget Enum",
+               NS_ConvertUTF16toUTF8(each).get()));
+    }
+  }
+
+  return result;
+}
+
+NS_IMETHODIMP
+nsRFPService::SetFingerprintingOverrides(
+    const nsTArray<RefPtr<nsIFingerprintingOverride>>& aOverrides) {
+  MOZ_ASSERT(XRE_IsParentProcess());
+  // Clear all overrides before importing.
+  mFingerprintingOverrides.Clear();
+
+  for (const auto& fpOverride : aOverrides) {
+    nsAutoCString domainKey;
+
+    nsresult rv = nsRFPService::CreateOverrideDomainKey(fpOverride, domainKey);
+    // Skip the current overrides if we fail to create the domain key.
+    if (NS_WARN_IF(NS_FAILED(rv))) {
+      continue;
+    }
+
+    nsAutoCString overridesText;
+    rv = fpOverride->GetOverrides(overridesText);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    RFPTarget targets = nsRFPService::CreateOverridesFromText(
+        NS_ConvertUTF8toUTF16(overridesText),
+        mFingerprintingOverrides.Contains(domainKey)
+            ? mFingerprintingOverrides.Get(domainKey)
+            : sEnabledFingerprintingProtections);
+
+    // The newly added one will replace the existing one for the given domain
+    // key.
+    mFingerprintingOverrides.InsertOrUpdate(domainKey, targets);
+  }
+
+  if (Preferences::GetBool(
+          "privacy.fingerprintingProtection.remoteOverrides.testing", false)) {
+    nsCOMPtr<nsIObserverService> obs = mozilla::services::GetObserverService();
+    NS_ENSURE_TRUE(obs, NS_ERROR_NOT_AVAILABLE);
+
+    obs->NotifyObservers(nullptr, "fpp-test:set-overrides-finishes", nullptr);
+  }
+
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+nsRFPService::GetEnabledFingerprintingProtections(uint64_t* aProtections) {
+  RFPTarget enabled = sEnabledFingerprintingProtections;
+
+  *aProtections = uint64_t(enabled);
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+nsRFPService::GetFingerprintingOverrides(const nsACString& aDomainKey,
+                                         uint64_t* aOverrides) {
+  MOZ_ASSERT(XRE_IsParentProcess());
+
+  Maybe<RFPTarget> overrides = mFingerprintingOverrides.MaybeGet(aDomainKey);
+
+  if (!overrides) {
+    return NS_ERROR_FAILURE;
+  }
+
+  *aOverrides = uint64_t(overrides.ref());
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+nsRFPService::CleanAllOverrides() {
+  MOZ_ASSERT(XRE_IsParentProcess());
+  mFingerprintingOverrides.Clear();
+  return NS_OK;
+}
+
+/* static */
+Maybe<RFPTarget> nsRFPService::GetOverriddenFingerprintingSettingsForChannel(
+    nsIChannel* aChannel) {
+  MOZ_ASSERT(aChannel);
+  MOZ_ASSERT(XRE_IsParentProcess());
+
+  nsCOMPtr<nsIURI> uri;
+  Unused << aChannel->GetURI(getter_AddRefs(uri));
+
+  if (uri->SchemeIs("about") && !NS_IsContentAccessibleAboutURI(uri)) {
+    return Nothing();
+  }
+
+  nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();
+  MOZ_ASSERT(loadInfo);
+
+  RefPtr<dom::BrowsingContext> bc;
+  loadInfo->GetTargetBrowsingContext(getter_AddRefs(bc));
+  if (!bc || !bc->IsContent()) {
+    return Nothing();
+  }
+
+  // The channel is for the first-party load.
+  if (!loadInfo->GetIsThirdPartyContextToTopWindow()) {
+    return GetOverriddenFingerprintingSettingsForURI(uri, nullptr);
+  }
+
+  // The channel is for the third-party load. We get the first-party URI from
+  // the top-level window global parent.
+  RefPtr<dom::WindowGlobalParent> topWGP =
+      bc->Top()->Canonical()->GetCurrentWindowGlobal();
+
+  if (NS_WARN_IF(!topWGP)) {
+    return Nothing();
+  }
+
+  nsCOMPtr<nsIPrincipal> topPrincipal = topWGP->DocumentPrincipal();
+  if (NS_WARN_IF(!topPrincipal)) {
+    return Nothing();
+  }
+
+  // Only apply the override if the top is content. In testing, the top level
+  // document could be a null principal. We don't need to apply override in this
+  // case.
+  if (!topPrincipal->GetIsContentPrincipal()) {
+    return Nothing();
+  }
+
+  nsCOMPtr<nsIURI> topURI = topWGP->GetDocumentURI();
+  if (NS_WARN_IF(!topURI)) {
+    return Nothing();
+  }
+
+  // The top-level page could be navigated to an error page. We cannot get
+  // the correct override in this case. So, we return nothing from here.
+  if (nsContentUtils::IsErrorPage(topURI)) {
+    return Nothing();
+  }
+
+#ifdef DEBUG
+  // Verify if the top URI matches the partitionKey of the channel.
+  nsCOMPtr<nsICookieJarSettings> cookieJarSettings;
+  Unused << loadInfo->GetCookieJarSettings(getter_AddRefs(cookieJarSettings));
+
+  nsAutoString partitionKey;
+  cookieJarSettings->GetPartitionKey(partitionKey);
+
+  OriginAttributes attrs;
+  attrs.SetPartitionKey(topURI);
+
+  // The partitionKey of the channel could haven't been set here if the loading
+  // channel is top-level.
+  MOZ_ASSERT_IF(!partitionKey.IsEmpty(),
+                attrs.mPartitionKey.Equals(partitionKey));
+#endif
+
+  return GetOverriddenFingerprintingSettingsForURI(topURI, uri);
+}
+
+/* static */
+Maybe<RFPTarget> nsRFPService::GetOverriddenFingerprintingSettingsForURI(
+    nsIURI* aFirstPartyURI, nsIURI* aThirdPartyURI) {
+  MOZ_ASSERT(aFirstPartyURI);
+  MOZ_ASSERT(XRE_IsParentProcess());
+
+  RefPtr<nsRFPService> service = GetOrCreate();
+  if (NS_WARN_IF(!service)) {
+    return Nothing();
+  }
+
+  // The fingerprinting overrides with a specific scope will replace the
+  // overrides with a more general scope. For example, the {first-party domain}
+  // will take over {first-party domain, *} because the latter one has a smaller
+  // scope.
+
+  // First, we get the overrides that applies to every context.
+  Maybe<RFPTarget> result = service->mFingerprintingOverrides.MaybeGet("*"_ns);
+
+  RefPtr<nsEffectiveTLDService> eTLDService =
+      nsEffectiveTLDService::GetInstance();
+  if (NS_WARN_IF(!eTLDService)) {
+    return Nothing();
+  }
+
+  nsAutoCString firstPartyDomain;
+  nsresult rv = eTLDService->GetBaseDomain(aFirstPartyURI, 0, firstPartyDomain);
+  if (NS_FAILED(rv)) {
+    return Nothing();
+  }
+
+  // The check is for a first-party load. A first-party load can be a
+  // top-level load or a first-party subresource/iframe load. The first-party
+  // load can match the following two scopes.
+  //   1. {first-party domain, *}: Every context that is under the given
+  //   first-party domain, including itself.
+  //   2. {first-party domain}: First-party contexts that load the given
+  //   first-party domain.
+  if (!aThirdPartyURI) {
+    // Test the {first-party domain, *} scope.
+    nsAutoCString key;
+    key.Assign(firstPartyDomain);
+    key.Append(FP_OVERRIDES_DOMAIN_KEY_DELIMITER);
+    key.Append("*");
+
+    Maybe<RFPTarget> fpOverrides =
+        service->mFingerprintingOverrides.MaybeGet(key);
+    if (fpOverrides) {
+      result = fpOverrides;
+    }
+
+    // Test the {first-party domain} scope.
+    fpOverrides = service->mFingerprintingOverrides.MaybeGet(firstPartyDomain);
+    if (fpOverrides) {
+      result = fpOverrides;
+    }
+
+    return result;
+  }
+
+  // The check is for a third-party load. The third-party load can match the
+  // following three scopes.
+  //   1. {first-party domain, *}: Every context that is under the given
+  //   first-party domain.
+  //   2. {*, third-party domain}: Every third-party context that loads the
+  //   given third-party domain.
+  //   3. {first-party domain, third-party domain}: The third-party context that
+  //   is under the given first-party domain.
+
+  nsAutoCString thirdPartyDomain;
+  rv = eTLDService->GetBaseDomain(aThirdPartyURI, 0, thirdPartyDomain);
+  if (NS_FAILED(rv)) {
+    return Nothing();
+  }
+
+  // Test {first-party domain, *} scope.
+  nsAutoCString key;
+  key.Assign(firstPartyDomain);
+  key.Append(FP_OVERRIDES_DOMAIN_KEY_DELIMITER);
+  key.Append("*");
+  Maybe<RFPTarget> fpOverrides =
+      service->mFingerprintingOverrides.MaybeGet(key);
+  if (fpOverrides) {
+    result = fpOverrides;
+  }
+
+  // Test {*, third-party domain} scope.
+  key.Assign("*");
+  key.Append(FP_OVERRIDES_DOMAIN_KEY_DELIMITER);
+  key.Append(thirdPartyDomain);
+  fpOverrides = service->mFingerprintingOverrides.MaybeGet(key);
+  if (fpOverrides) {
+    result = fpOverrides;
+  }
+
+  // Test {first-party domain, third-party domain} scope.
+  key.Assign(firstPartyDomain);
+  key.Append(FP_OVERRIDES_DOMAIN_KEY_DELIMITER);
+  key.Append(thirdPartyDomain);
+  fpOverrides = service->mFingerprintingOverrides.MaybeGet(key);
+  if (fpOverrides) {
+    result = fpOverrides;
+  }
+
+  return result;
+}