Opened 4 years ago

Last modified 5 months ago

#18364 new defect

Tor Browser in Gnu+Linux doesn't support Dingbats properly

Reported by: erchewin Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting-fonts
Cc: arthuredelstein Actual Points:
Parent ID: #18172 Points:
Reviewer: Sponsor:

Description

See http://danshort.com/HTMLentities/index.php?w=dingb

For example, ✗ (Ballot X) is not supported. Other browsers I use support all characters from that page.

Child Tickets

TicketStatusOwnerSummaryComponent
#18860needs_informationtbb-teamReply button text and text editing Dingbats in Trac are not visible on Gnu+Linux TBBApplications/Tor Browser
#21320newtbb-teamGlyphs/Dingbats in uBlock Origin TBB not displaying in Gnu+LinuxApplications/Tor Browser

Change History (15)

comment:1 Changed 4 years ago by cypherpunks

Keywords: tbb-fingerprinting-fonts added

I suspect this is not an XML/HTML entity problem, but a font-related issue. Maybe the fonts bundled with Tor Browser simply don't contain the relevant glyphs.

comment:2 Changed 4 years ago by gk

Cc: arthuredelstein added
Parent ID: #18097

comment:3 Changed 3 years ago by vegansalad

I've been experiencing the same problem. For reference, I added to this ticket over here: #18172

Last edited 3 years ago by vegansalad (previous) (diff)

comment:4 Changed 3 years ago by vegansalad

Priority: MediumHigh

comment:5 Changed 3 years ago by vegansalad

This error is also causing problems on our Trac page right now: #18860 In addition to Linux TBB not supporting the "reply" button on the right side of every comment in https://trac.torproject.org/projects/tor/report I'm also not able to view the "bold" "italic" "link" or any other icons above the box that I'm typing in right now. I'm assuming that this is the same for all Linux TBB users that are using this site right now. Tails closed the ticket that I opened with them, saying that this seems to be squarely a Linux TBB issue. https://labs.riseup.net/code/issues/12154

Last edited 3 years ago by vegansalad (previous) (diff)

comment:6 Changed 3 years ago by vegansalad

Summary: Tor Browser doesn't support some HTML EntitiesTor Browser in Gnu+Linux doesn't support Dingbats properly

comment:7 Changed 3 years ago by vegansalad

I'm curious which way the TBB community is looking to go from here.

Does a new font need to be packaged for Linux TBB that renders Dingbats / Glyphs / Older Unicode?

Does it already have a font that renders them properly, but there isn't proper font fallbacks in place?

Are the web and app developers, including uBlock and Trac (see child tickets) at fault for including these things in their code? Is it a security vulnerability to render old unicode images?

If the third one is true, we should develop a document that explains the secure way to use them or ways to replace them with something else.

comment:8 Changed 3 years ago by vegansalad

Can someone please respond to this ticket? Trac.torproject.org is broken. uBlock is broken. MANY SITES on the internet are broken. We really should talk about this.

comment:9 in reply to:  7 ; Changed 3 years ago by yawning

Replying to vegansalad:

Does a new font need to be packaged for Linux TBB that renders Dingbats / Glyphs / Older Unicode?

Well. None of the bundled fonts include the Dingbats Unicode code block.

Bundling NotoSansSymbols-Regular.ttf (832 KiB) along with some font-config trickery would be an improvement, though I am uncertain as to how real browser developers want to handle the download/bundle space vs coverage tradeoff.

comment:10 in reply to:  9 ; Changed 3 years ago by vegansalad

Replying to yawning:

Replying to vegansalad:

Does a new font need to be packaged for Linux TBB that renders Dingbats / Glyphs / Older Unicode?

Well. None of the bundled fonts include the Dingbats Unicode code block.

Bundling NotoSansSymbols-Regular.ttf (832 KiB) along with some font-config trickery would be an improvement, though I am uncertain as to how real browser developers want to handle the download/bundle space vs coverage tradeoff.

The coverage is vast, including this very Trac. The download/bundle space addition is small. I'm sorry, but why the frack is this issue not being given the time of day? Please let me know how I can move things forward in a healthy way.

comment:11 in reply to:  10 Changed 3 years ago by gk

Replying to vegansalad:

Replying to yawning:

Replying to vegansalad:

Does a new font need to be packaged for Linux TBB that renders Dingbats / Glyphs / Older Unicode?

Well. None of the bundled fonts include the Dingbats Unicode code block.

Bundling NotoSansSymbols-Regular.ttf (832 KiB) along with some font-config trickery would be an improvement, though I am uncertain as to how real browser developers want to handle the download/bundle space vs coverage tradeoff.

The coverage is vast, including this very Trac. The download/bundle space addition is small. I'm sorry, but why the frack is this issue not being given the time of day? Please let me know how I can move things forward in a healthy way.

Witing a patch, testing it and, if all works well, attaching it to this ticket + setting the status of it to needs_review would be such a way.

comment:12 Changed 18 months ago by vegansalad

Dingbats / Wingdigs / Unicode / Emojis

Whatever you'd like to call them, many of them are broken in Tor Browser and have been for a very long time. I understand that font fingerprinting needs to be addressed in a robust way because it protects against font enumeration attacks. However, there doesn't seem to be much work being done to fix the bugs that this security mitigation technique has introduced.

This seems to affect Linux users of TBB the most, but joel2017 says that it is still causing problems for windows users. https://trac.torproject.org/projects/tor/ticket/18172#comment:34

As was stated over two years ago, this issue seems to cause issues on the tor project trac itself! Right now as I'm on this page, the "reply to comment" icon to the right of every comment is blank due to this bug (that is, if I'm understanding the bug correctly). https://trac.torproject.org/projects/tor/ticket/18860

For Tails users that use the default TBB browser, this bug also still causes a bug in uBlock Origin https://trac.torproject.org/projects/tor/ticket/21320

A proposal has been made to improve the list of TBB font whitelist / bundled fonts by soliciting user feedback. I agree that it would be a useful project to go through each of the fonts on each platform and see if there are better fonts that could be used instead. https://trac.torproject.org/projects/tor/ticket/20842 I've posted some comments over there as well about how we could potentially move this proposal into a reality.

In the mean time, assuming such a large project would take up a lot of time and resources, my quick suggestion to hopefully fix this specific ticket is to add fonts-noto-color-emoji to the list of Google Noto fonts shipped with the GNU+Linux version of TBB. This is an official Debian package now: https://packages.debian.org/buster/fonts-noto-color-emoji and the binary is available https://github.com/googlei18n/noto-emoji/releases If it would be preferable to get this in stretch-backports as well, please let me know and I'll do my best to pursue this.

Can anyone out there add fonts-noto-color-emoji to the Tor Browser for GNU+Linux so I can test to see if it fixes the multiple unicode errors that I have been consistently seeing for the last few years while using TBB as my daily driver?

Also, it seems as though Debian is just using the binary from the noto-emoji Github Releases page instead of building it from source: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848198#64

It'd be preferable, I assume, to build the font from source.

Apparently nototools and fonttools are needed to build this font from source. https://github.com/googlei18n/noto-emoji/#building-notocoloremoji

It should be noted that fonttools, which is required to build the font from source, has been switched over to the MIT license roughly six months ago, so this font should now be able to be built from source with all free software build tools: https://github.com/fonttools/fonttools/commit/b990a019dd7d95bbea9e0e823848827933691790

Nototools also seems to have a free license https://github.com/googlei18n/nototools/blob/master/LICENSE

Are there any blockers to adding fonts-noto-color-emoji to the list of fonts in #ifdef XP_LINUX that I'm not aware of? https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-52.8.0esr-7.5-1#n389

Last edited 18 months ago by vegansalad (previous) (diff)

comment:13 Changed 18 months ago by gk

Thanks for this helpful comment. The idea of building the fonts from source is pretty interesting. Right now we are shipping the fonts as they come from Google. I opened #26302 for investigating the source code approach.

There is no need to have anything in Debian in order to make progress, but thanks for the offer trying to move things forward in case it were needed.

And, no, I don't see any blockers other than someone sitting down, writing the patch, building the bundle and testing it. Am I seeing this right, that this font alone is 7MB in size? That's quite a lot...

comment:14 Changed 18 months ago by gk

Parent ID: #18097#18172

comment:15 Changed 5 months ago by vegansalad

I'd still really love it if someone could write a patch to add fonts-noto-color-emoji to Tor Browser.

As was stated over three years ago, this issue seems to cause issues on this tor project trac itself! Right now as I'm on this page, if you are using the Linux version of Tor Browser, the "reply to comment" icon to the right of every comment is blank due to this bug (that is, if I'm understanding the bug correctly). https://trac.torproject.org/projects/tor/ticket/18860

Note: See TracTickets for help on using tickets.