Opened 5 years ago

Last modified 3 years ago

#11935 reopened defect

Strange fallback font behavior on Mac and Windows

Reported by: mt2014 Owned by: mikeperry
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting-fonts, tbb-firefox-patch
Cc: gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by mikeperry)

On stayinvisible.com, for some reason our font patch is causing Windows and Mac builds to report that they have *all* the fonts installed, where as Linux the test properly stops detecting fonts after our limit is reached.

This could be because something about TBB is simply causing the fallback fonts on Mac and Windows to be different than what they expect. Possible OS fingerprinting issue, or deeper bug?

In either case, this is not ridiculously serious, but is worth investigating.

Child Tickets

Attachments (6)

torbrowser.jpg (150.5 KB) - added by mt2014 5 years ago.
Via TorBrowser
jondofox.jpg (157.1 KB) - added by mt2014 5 years ago.
Via JondoFox
torbrowser2.jpg (175.2 KB) - added by mt2014 5 years ago.
Via TorBrowser #2
code (6.0 KB) - added by gk 5 years ago.
Code used on stayinvisible.com
code2 (6.0 KB) - added by gk 5 years ago.
Added the three global variables to the code snippet
nosuchfont.png (26.7 KB) - added by dcf 5 years ago.
Screenshot of Tor Browser's font limit causing early fallback to the system font.

Download all attachments as: .zip

Change History (21)

Changed 5 years ago by mt2014

Attachment: torbrowser.jpg added

Via TorBrowser

Changed 5 years ago by mt2014

Attachment: jondofox.jpg added

Via JondoFox

comment:1 Changed 5 years ago by mt2014

see the attachments. when testing via torbrowser and jondofox. torbrowser is still leaking fonts list

comment:2 Changed 5 years ago by gk

Resolution: invalid
Status: newclosed

You are using a broken Tor Browser as the one we ship contains Torbutton enabled and functional (the Torbutton onion has to be green). I guess that is the reason for your leaking fonts list. But that is not a Tor Browser issue. Please get a new Tor Browser at https://www.torproject.org/download/download-easy.html.en and don't forget to verify the signature.

Changed 5 years ago by mt2014

Attachment: torbrowser2.jpg added

Via TorBrowser #2

comment:3 Changed 5 years ago by mt2014

it's still same.

The first screen shot is using torbutton without Tor (transparent torrification)

second try i downloaded again from https://www.torproject.org/download/download-easy.html.en then run it all by default (see attachment)

I have tried it on different computer as well. it's gives the same results.

can you do the test on stayinvisible.com and take a screenshot?

comment:4 Changed 5 years ago by mt2014

Resolution: invalid
Status: closedreopened

comment:5 Changed 5 years ago by gk

Cc: mcs brade added
Component: TorbuttonFirefox Patch Issues
Priority: blockercritical

So. I can see this issue on Windows and Mac but my Linux box shows 0 fonts. That is kind of weird as my normal Iceweasel shows 7 fonts. We need some further investigation here... The fonts in attachment three are not the same I have on Windows visible although, of course, there is overlap.

comment:6 Changed 5 years ago by gk

Owner: set to mikeperry
Status: reopenedassigned

Changed 5 years ago by gk

Attachment: code added

Code used on stayinvisible.com

Changed 5 years ago by gk

Attachment: code2 added

Added the three global variables to the code snippet

comment:7 Changed 5 years ago by gk

Having "browser.display.max_font_count" <= 4 gives zero fonts back. With >= 5 do I get 295-300 fonts back on my test Mac.

comment:8 Changed 5 years ago by gk

Resolution: invalid
Status: assignedclosed

What you see is not the fonts leaked but basically the list of fonts they test against (note e.g. the mentioning of Bell MT twice in your test results which is contained twice as well in their font list). Not sure what goes wrong here, though. The tests seem to behave correctly if one disables fingerprinting resistance for testing purposes setting "extensions.torbutton.resist_fingerprinting" to "false".

comment:9 Changed 5 years ago by mikeperry

Cc: mcs brade removed
Description: modified (diff)
Keywords: tbb-fingerprinting added
Priority: criticalnormal
Summary: TorBrowser Fonts Leaking....Strange fallback font behavior on Mac and Windows

comment:10 Changed 5 years ago by mikeperry

Resolution: invalid
Status: closedreopened

comment:11 Changed 5 years ago by gk

Cc: gk added

comment:12 Changed 5 years ago by erinn

Component: Firefox Patch IssuesTor Browser
Keywords: tbb-firefox-patch added

Changed 5 years ago by dcf

Attachment: nosuchfont.png added

Screenshot of Tor Browser's font limit causing early fallback to the system font.

comment:13 Changed 5 years ago by dcf

I have a guess as to what's happening. I ran into it myself while testing some web font stuff. When the font count limit is reached, and a new font family is requested, Tor Browser falls back to the default system font rather than show the requested font. However it does this even when there are more font families in the style, even if those families were previously allowed under the font limit. Other browsers would instead try the remaining families before falling back to the system default.

You can see it in action with the following HTML document. You have to run it on a system with DejaVu Sans Mono installed (any GNU/Linux system).

<!DOCTYPE html>
<div id=d></div>
<script>
var d = document.getElementById("d");
function test(n) {
        if (n > 15)
                return;
        var p = document.createElement("p");
        p.style.fontFamily = "nosuchfont" + n + ", DejaVu Sans Mono";
        p.textContent = p.style.fontFamily;
        d.appendChild(p);
        setTimeout(function() { test(n + 1) }, 200);
}
test(1);
</script>

The output in Tor browser is below. After ten font families are tried, the text starts being rendered in the default system font (non-monospace), even though "DejaVu Sans Mono" was previously allowed under the font limit.
Screenshot of Tor Browser's font limit causing early fallback to the system font.

A giveaway in the stayinvisible.com case is that on my Windows, the first font name reported is Aharoni, which is the fifth font name tested. Counting the "Arial Black" that is used as a reference as one, and counting each font name twice because the test changes the family twice, it means the detection starts to go wrong after ten families have been loaded.

The code in attachment:code2 works by first measuring the width of a reference string with the CSS style

font-family: Arial Black;

It then successively tries a bunch of two-family styles, all with "Arial Black" as the second family, like

font-family: Adobe Caslon Pro, Arial Black;
font-family: Adobe Garamond, Arial Black;
font-family: Adobe Garamond Pro, Arial Black;
font-family: Agency FB, Arial Black;
font-family: Aharoni, Arial Black;
font-family: Algerian, Arial Black;
...
font-family: Zapfino, Arial Black;

The code compares the width of the string in each of these styles against the reference width. If the width differs, the tested font is counted as installed. The idea is that if the first family in the style is installed, it will be loaded and change the width of the string; and if it is not present, the second family "Arial Black" will be used and the width won't change.

Tor Browser's short-circuit font limit patch is effectively turning all the two-family styles, after the font limit is reached, into the default system font. Since the default has different dimensions than "Arial Black", the script false detects every font as installed. Why you don't see it on GNU/Linux, is because GNU/Linux usually doesn't have the "Arial Black" font they're using for reference, so the reference width is already using the system default.

I think this is the Tor Browser patch: https://gitweb.torproject.org/tor-browser.git/commitdiff/fc24b518cfba6310e1bdfa7d1aadeffaf9e86a2c#patch10.

I wouldn't be surprised if this issue also affects things like Google Web Font Loader, because they also rely on detecting changed glyph dimensions to know when a font has been loaded.

comment:14 Changed 4 years ago by mikeperry

Keywords: tbb-fonts added

comment:15 Changed 3 years ago by bugzilla

Keywords: tbb-fingerprinting-fonts added; tbb-fingerprinting tbb-fonts removed
Severity: Normal
Note: See TracTickets for help on using tickets.