Fonts in the browser
fedilink
18
Fonts in the browser
fedilink

What are the privacy implications of enforcing an obscure font browser-wide (Firefox)? Are the website aware that they’re not using some generic/default font?

@rrobin@lemmy.world
link
fedilink
45M

First of all, you can assume the server can infer this in a number of ways - there is actually no way to fully block it, but we can try.

The main issue for privacy is that it makes your browser behave in ways that are a bit too specific (i.e. less private by comparison with the rest of the browsers in the known universe).

As for techniques the site can use

  • javascript can test the geometry of something that was rendered to draw conclusions - was this font actually used? test several options and check for variations
  • measure font work between network events i.e. generate a site that makes the browser use unique links for 1) fetches a font 2) renders text and 3) only then another fetch - measure the time between 1) and 3) and draw conclusions. Repeat for test cases and draw conclusions - e.g. is the browser really fast using monospace vs custom huge font? not a great method, but not completely worthless
  • some techniques can actually do some of this without Javascript, provided you can generate some weird CSS/HTML that conditionally triggers a fetch

By the away not downloading the fonts also makes you “less private”. Some of this is a stretch but not impossible.

Now for a more practical problem. Lots of sites use custom fonts for icons. Which means some sites will be very hard to use, because they only display buttons with an icon (actually a letter with a custom font).

FWIW these two lines are in my Firefox profile to disable downloads and skip document provided fonts:

user_pref("gfx.downloadable_fonts.enabled", false);
user_pref("browser.display.use_document_fonts", 0);

If someone has better/different settings please share.

Finally the Tor browser folks did good work on privacy protections over FF. Maybe their issue tracker is a good source of inspiration https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/18097

@thayer@lemmy.ca
link
fedilink
9
edit-2
5M

Perhaps more importantly, websites can determine which fonts are installed on your system (regardless of which you’re enforcing), making fingerprinting much easier.

@danhab99@programming.dev
link
fedilink
25M

Literally why is this necessary on a technical level. I’m a web developer, whenever I need my JavaScript to access a resource I have to spell out where to find it. I’ve never had a need to scan the browser or the system to make shit happen so why should I be able to in the first place.

@driveway@lemmy.zip
creator
link
fedilink
55M

RFP probably ensures you give out a predetermined set of fonts as installed.

Lunya \ she/it
link
fedilink
-15M

The websites will just think that it’s your default font.

Create a post

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 57 users / day
  • 383 users / week
  • 1.5K users / month
  • 5.7K users / 6 months
  • 1 subscriber
  • 2.44K Posts
  • 57.5K Comments
  • Modlog