This is a fundamental problem with running arbitrary untrusted code on your machine. Things like your <i>display size</i> and <i>desktop decorations</i> suddenly become security-relevant.<p>Browsers need to start recognizing these as high-priority security vulnerabilities <i>and</i> make it a point to preempt them by design. Or they need to explicitly acknowledge that they cannot and start reducing their javascript attack surface to a simpler foundation more appropriate for interactive <i>web pages</i>.<p>Code running for a web page should have <i>no idea</i> of what size screen or aspect ratio it is displaying on - if a developer wants to draw pixel perfect graphics, they should be creating an <i>app</i>. Many better methods exist for distributing full-featured programs to run on one's machine - they generally involve auditing by a third party. Sandboxed execution is a nifty thing, but it's negligent to assert that it's infallible and eschew further security measures.
Yeah, that's pretty disturbing. But I seem to get two different fingerprints. Refreshing the page 10 or so times, I usually get one, and then it switches to the other for another ~10 page reloads, and then back again.<p>FF49 on Ubuntu 16.04.