roc wrote: > > One of the things I would like us to consider (in both Gecko and > > Servo) is to stop using any available platform fonts by default. > > We should keep a list of normal system fonts and only use those. > > If a site wishes to use other fonts, they can use web fonts to > > supply them. This would reduce font fingerprinting privacy attacks > > and at the same time eliminate the font enumeration paths at > > startup which are expensive. > > I agree this is worth exploring. The massive uptake of Web fonts has > made this an easier step to take. > > I think it might still be a difficult step to take in Gecko, because > it will regress some use-cases for a small number of users. E.g., a > user uses an obscure language not supported by fonts in their > standard OS install (e.g. Windows XP), and has installed or will > install a local font to cover that language. So it requires some > thought and probably telemetry. > > For Servo, I would pull the font.name prefs from all.js to get a > fixed list of per-language font names to use for fallback and > default fonts, and not implement platform font lists for now and > hopefully not ever.
This is significantly harder to implement in practice and adversely affects users in non-English locales. While there's a plethora of fonts for Latin-based scripts, the choices dwindle quickly for other locales. For many locales, CJK included, there's basically only one or two font families to support the basic set of serif, sans-serif and monospace fonts. And beyond the twenty most commonly used scripts we don't maintain much data on these environments. The data in the "font.xxx" prefs is not sufficient. I also think trying to deal with the larger problem of fingerprinting by neutering various web features is a very whack-a-mole approach. If you're going to experiment with something like this you need to make it work first under a pref before making it the default. Something like an "extended privacy mode" that disables a large set of features that expose underlying system functionality. If script can run on a page and access any web API, I just think there's a very large set of possibilities for effectively sniffing out higher entropy characteristics. The set of available fonts is just one small part of this larger milieu. Doing this by default is a mistake. Cheers, John _______________________________________________ dev-servo mailing list [email protected] https://lists.mozilla.org/listinfo/dev-servo
