On Thu, Feb 20, 2014 at 5:55 PM, <jdaggett.li...@gmail.com> wrote: > roc wrote: > > > > One of the things I would like us to consider (in both Gecko and > > > Servo) is to stop using any available platform fonts by default. > > > We should keep a list of normal system fonts and only use those. > > > If a site wishes to use other fonts, they can use web fonts to > > > supply them. This would reduce font fingerprinting privacy attacks > > > and at the same time eliminate the font enumeration paths at > > > startup which are expensive. > > > > I agree this is worth exploring. The massive uptake of Web fonts has > > made this an easier step to take. > > > > I think it might still be a difficult step to take in Gecko, because > > it will regress some use-cases for a small number of users. E.g., a > > user uses an obscure language not supported by fonts in their > > standard OS install (e.g. Windows XP), and has installed or will > > install a local font to cover that language. So it requires some > > thought and probably telemetry. > > > > For Servo, I would pull the font.name prefs from all.js to get a > > fixed list of per-language font names to use for fallback and > > default fonts, and not implement platform font lists for now and > > hopefully not ever. > > This is significantly harder to implement in practice and adversely > affects users in non-English locales. While there's a plethora of fonts > for Latin-based scripts, the choices dwindle quickly for other locales. > For many locales, CJK included, there's basically only one or two font > families to support the basic set of serif, sans-serif and monospace fonts. > And beyond the twenty most commonly used scripts we don't maintain much > data on these environments. The data in the "font.xxx" prefs is not > sufficient. >
I think we're mostly in agreement. We definitely should not be implementing all-system-fonts font fallback in Servo at this time. Whether it's needed or not, there is no uncertainty about whether/how it can be implemented in the context of Servo. It is therefore unimportant at this stage, when we should be focusing on the tasks where there is significant risk or uncertainty. I also think trying to deal with the larger problem of fingerprinting by > neutering various web features is a very whack-a-mole approach. If you're > going to experiment with something like this you need to make it work first > under a pref before making it the default. Something like an "extended > privacy mode" that disables a large set of features that expose underlying > system functionality. If script can run on a page and access any web API, > I just think there's a very large set of possibilities for effectively > sniffing out higher entropy characteristics. The set of available fonts is > just one small part of this larger milieu. Doing this by default is a > mistake. > Maybe, but everyone says that. It's like reducing climate emissions. Rob -- Jtehsauts tshaei dS,o n" Wohfy Mdaon yhoaus eanuttehrotraiitny eovni le atrhtohu gthot sf oirng iyvoeu rs ihnesa.r"t sS?o Whhei csha iids teoa stiheer :p atroa lsyazye,d 'mYaonu,r "sGients uapr,e tfaokreg iyvoeunr, 'm aotr atnod sgaoy ,h o'mGee.t" uTph eann dt hwea lmka'n? gBoutt uIp waanndt wyeonut thoo mken.o w _______________________________________________ dev-servo mailing list dev-servo@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-servo
