Opened 8 years ago

Closed 6 years ago

Last modified 5 years ago

#4797 closed task (duplicate)

Deploy Camilo's Generic Font Limiting Patch

Reported by: mikeperry Owned by: mikeperry
Priority: Medium Milestone:
Component: Firefox Patch Issues Version:
Severity: Keywords:
Cc: pde, cviecco, g.koppen@…, StrangeCharm, arthuredelstein@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We need to find some font snobs to sniff out minimum acceptable values for the #2872 patch that don't make the web look like shit.

Child Tickets

Attachments (1)

use_only_generic_fonts.patch (7.1 KB) - added by mikeperry 7 years ago.
Camilo's generic-font limiting patch

Download all attachments as: .zip

Change History (14)

comment:1 Changed 7 years ago by mikeperry

Milestone: TorBrowserBundle 2.3.x-stable
Priority: normalmajor
Summary: Find some font snobs to test font-limiting patchFind some font snobs to test font-limiting patches

Camilo has created an alternate version of font limiting that gives us a pref to restrict the font loading to the six generic fonts only (http://www.w3.org/TR/CSS2/fonts.html#generic-font-families).

He's still working on the patch to ensure it does not block WebFonts, but I've attached an early draft.

Supposedly the following websites look off:

http://www.travelocity.com/ -> looks weird
http://www.expedia.com/ -> lower part of the page misrendered
http://developer.yahoo.com/yui/datatable/ -> function names are not rendered in monospace
http://i-ville.net/fonts.html -> misrendered due to site braindamage
http://gmoc-db.grnoc.iu.edu/

Here are some multi-lingual sites that looked ok (covering arabic, thai, jewish, japanese,chinese,korean and hindi):

aljazeera,
http://thai.tourismthailand.org/home/search/search-result/index.php?id=185&cat_id=5&event_id=2969&L=2
http://www.haaretz.co.il/
http://www3.nhk.or.jp/
http://www.xinhuanet.com/
http://www.donga.com/
http://in.jagran.yahoo.com/

Changed 7 years ago by mikeperry

Camilo's generic-font limiting patch

comment:2 Changed 7 years ago by pde

Cool!  Worth considering whether this needs to block fonts that are fetched as CSS resources since in principle those should not be particularly fingerprintable.  My reading of the patch is that it would block those, which might be simpler than telling where each font came from in order to decide whether to block it or not.

comment:3 Changed 7 years ago by mikeperry

comment:4 in reply to:  2 Changed 7 years ago by mikeperry

Replying to pde:

Cool!  Worth considering whether this needs to block fonts that are fetched as CSS resources since in principle those should not be particularly fingerprintable.  My reading of the patch is that it would block those, which might be simpler than telling where each font came from in order to decide whether to block it or not.

Yeah, Camilo and I have discussed this. I think that we should allow WebFonts if possible, too. Or at least, it should be an independent decision. I think my font limiting patch may also have the same problem, though...

comment:5 Changed 7 years ago by cviecco

Cc: cviecco added

comment:6 Changed 7 years ago by mikeperry

Repaste of https://trac.torproject.org/projects/tor/ticket/2872#comment:20 so we don't miss it:

Replying to cviecco:

Mozilla has a bug about this at: https://bugzilla.mozilla.org/show_bug.cgi?id=732096 . A Different approach is used, that is to limit the fonts to use only the generic font family. It is doubtful the current Tor font patch would be merged upstream as fonts can still be enumerated, just more slowly. The generic approach prevents this but makes many websites (that have incomplete font-familiy stacks) look strange.

I am OK with this, especially since as Camilo pointed out privately, you can probably detect OS in just a couple of font probes.

Also, if Mozilla adopts the more restrictive approach and makes it a Private Browsing Mode default, sites are more likely to adapt. Especially if WebFonts can be allowed.

comment:7 Changed 7 years ago by gk

Cc: g.koppen@… added

comment:8 Changed 7 years ago by mikeperry

Keywords: MikePerry201203 added

comment:9 Changed 7 years ago by mikeperry

Keywords: MikePerry201204 added; MikePerry201203 removed
Summary: Find some font snobs to test font-limiting patchesDeploy Camilo's Generic Font Limiting Patch

I slipped on this last month.

I think we should just deploy Camilo's patch and see if anyone complains. I am more concerned by the ability to fingerprint OS through fonts than ugly looking sites.

comment:10 Changed 7 years ago by StrangeCharm

Cc: StrangeCharm added

comment:11 Changed 7 years ago by mikeperry

Keywords: MikePerry201204 removed

Poor Camilo is demoralized by Mozilla inertia and has decided to tackle lower hanging fruit. Plus there's may be a few more intl wrinkles with this approach. We're going to keep our patches for now.

comment:12 Changed 6 years ago by mikeperry

Milestone: TorBrowserBundle 2.3.x-stable
Priority: majornormal
Resolution: duplicate
Status: newclosed

I think limiting the number of font queries and/or providing universal/base font pack is the best solution to this issue.

comment:13 Changed 5 years ago by arthuredelstein

Cc: arthuredelstein@… added
Note: See TracTickets for help on using tickets.