roc wrote: >> This is significantly harder to implement in practice and adversely >> affects users in non-English locales. While there's a plethora of >> fonts for Latin-based scripts, the choices dwindle quickly for >> other locales. For many locales, CJK included, there's basically >> only one or two font families to support the basic set of serif, >> sans-serif and monospace fonts. And beyond the twenty most >> commonly used scripts we don't maintain much data on these >> environments. The data in the "font.xxx" prefs is not sufficient. > > I think we're mostly in agreement. > > We definitely should not be implementing all-system-fonts font > fallback in Servo at this time. Whether it's needed or not, there is > no uncertainty about whether/how it can be implemented in the > context of Servo. It is therefore unimportant at this stage, when we > should be focusing on the tasks where there is significant risk or > uncertainty.
In Gecko currently we only do all-system-fonts fallback on XP or if a pref is explicitly set. Fonts a selected for a given character in the following order: fontlist (i.e. font-family: Calibri, Verdana, sans-serif) pref fonts for a given script (i.e. the font.xxx data) hard-coded lists of system fonts for given script ranges platform-level global font fallback -or- generic all-system-fonts fallback The hard-coded lists will get you 95% of the way, you only need the generic fallback for the GDI case or for special situations (e.g. handling unusual scripts). Code pointers: hard-coded lists of system fonts: http://mxr.mozilla.org/mozilla-central/source/gfx/thebes/gfxPlatformFontList.cpp#489 platform-level global font fallback: DirectWrite http://mxr.mozilla.org/mozilla-central/source/gfx/thebes/gfxDWriteFontList.cpp#1476 OSX http://mxr.mozilla.org/mozilla-central/source/gfx/thebes/gfxMacPlatformFontList.mm#817 Generic cmap search (used on XP or if pref is enabled) http://mxr.mozilla.org/mozilla-central/source/gfx/thebes/gfxPlatformFontList.cpp#525 >> I also think trying to deal with the larger problem of >> fingerprinting by neutering various web features is a very >> whack-a-mole approach. If you're going to experiment with >> something like this you need to make it work first under a pref >> before making it the default. Something like an "extended privacy >> mode" that disables a large set of features that expose underlying >> system functionality. If script can run on a page and access any >> web API, I just think there's a very large set of possibilities for >> effectively sniffing out higher entropy characteristics. The set >> of available fonts is just one small part of this larger milieu. >> Doing this by default is a mistake. > > Maybe, but everyone says that. It's like reducing climate emissions. Hmm. My point is that preventing fingerprinting is not something that I think we can do by simply tweaking features here and there like this. I think we actually need to disable a large set of features available from script to be able to prevent sniffing of the system environment. That means giving the user the option to enable a mode with the understanding that many web features won't work. That's a big choice that a user needs to make. Neutering the availability of platform fonts has significant downsides and I don't think a browser that does this by default will be competitive in the market. An opt-in feature that disables lots of web platform features to reduce the ability to fingerprint a user, including mucking with the font list, would make sense but I don't think that's a first-pass feature requirement for Servo. Cheers, John On Thu, Feb 20, 2014 at 9:07 PM, Robert O'Callahan <rob...@ocallahan.org>wrote: > On Thu, Feb 20, 2014 at 5:55 PM, <jdaggett.li...@gmail.com> wrote: > >> roc wrote: >> >> > > One of the things I would like us to consider (in both Gecko and >> > > Servo) is to stop using any available platform fonts by default. >> > > We should keep a list of normal system fonts and only use those. >> > > If a site wishes to use other fonts, they can use web fonts to >> > > supply them. This would reduce font fingerprinting privacy attacks >> > > and at the same time eliminate the font enumeration paths at >> > > startup which are expensive. >> > >> > I agree this is worth exploring. The massive uptake of Web fonts has >> > made this an easier step to take. >> > >> > I think it might still be a difficult step to take in Gecko, because >> > it will regress some use-cases for a small number of users. E.g., a >> > user uses an obscure language not supported by fonts in their >> > standard OS install (e.g. Windows XP), and has installed or will >> > install a local font to cover that language. So it requires some >> > thought and probably telemetry. >> > >> > For Servo, I would pull the font.name prefs from all.js to get a >> > fixed list of per-language font names to use for fallback and >> > default fonts, and not implement platform font lists for now and >> > hopefully not ever. >> >> This is significantly harder to implement in practice and adversely >> affects users in non-English locales. While there's a plethora of fonts >> for Latin-based scripts, the choices dwindle quickly for other locales. >> For many locales, CJK included, there's basically only one or two font >> families to support the basic set of serif, sans-serif and monospace fonts. >> And beyond the twenty most commonly used scripts we don't maintain much >> data on these environments. The data in the "font.xxx" prefs is not >> sufficient. >> > > I think we're mostly in agreement. > > We definitely should not be implementing all-system-fonts font fallback in > Servo at this time. Whether it's needed or not, there is no uncertainty > about whether/how it can be implemented in the context of Servo. It is > therefore unimportant at this stage, when we should be focusing on the > tasks where there is significant risk or uncertainty. > > I also think trying to deal with the larger problem of fingerprinting by >> neutering various web features is a very whack-a-mole approach. If you're >> going to experiment with something like this you need to make it work first >> under a pref before making it the default. Something like an "extended >> privacy mode" that disables a large set of features that expose underlying >> system functionality. If script can run on a page and access any web API, >> I just think there's a very large set of possibilities for effectively >> sniffing out higher entropy characteristics. The set of available fonts is >> just one small part of this larger milieu. Doing this by default is a >> mistake. >> > > Maybe, but everyone says that. It's like reducing climate emissions. > > Rob > -- > Jtehsauts tshaei dS,o n" Wohfy Mdaon yhoaus eanuttehrotraiitny eovni > le atrhtohu gthot sf oirng iyvoeu rs ihnesa.r"t sS?o Whhei csha iids teoa > stiheer :p atroa lsyazye,d 'mYaonu,r "sGients uapr,e tfaokreg iyvoeunr, > 'm aotr atnod sgaoy ,h o'mGee.t" uTph eann dt hwea lmka'n? gBoutt uIp > waanndt wyeonut thoo mken.o w > _______________________________________________ dev-servo mailing list dev-servo@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-servo
