We are landing the change in Bug 1826408 <https://bugzilla.mozilla.org/show_bug.cgi?id=1826408> to restrict font visibility for private windows in Nightly only from Firefox 114.
The upcoming change will limit website font visibility to system fonts and installed language packs in private windows, while leaving font access unrestricted in normal windows. On Tue, Apr 11, 2023 at 7:21 PM Tom Ritter <[email protected]> wrote: > We intend to enable font visibility restrictions on Nightly in PBM > that will prevent all non-system, non-langpack fonts from being used > (and therefore detected) by websites. This will mitigate a large > source of entropy in a user's fingerprint. Caveats below. > > > Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1826408 > Specification: n/a > Standards Body: n/a > > > Platform coverage: It will apply on Windows, Mac, Ubuntu, and Fedora. > It will be enabled but non-functional on Android and other Linux > distros. (Meaning the pref will be ‘true’, but it won’t do anything.) > > > Preference: > > A value of 3 means unrestricted font access. 2 means System and > Langpack fonts, and 1 means system fonts only. > > layout.css.font-visibility.standard controls the behavior for all windows > layout.css.font-visibility.trackingprotection controls the behavior > for sites with ETP enabled > layout.css.font-visibility.private controls the behavior in PBM > > As part of this work, we will be setting > `layout.css.font-visibility.private` to 2 to restrict font visibility > in Nightly private windows. > > > DevTools: A console message will be logged upon a font being blocked. > However while filing > https://bugzilla.mozilla.org/show_bug.cgi?id=1826419 I noticed this > may not work in all instances. > > > Blink: I'm not aware of Blink doing anything in this space. > > > WebKit: "font availability [in] web content [only includes] web fonts > and fonts that come with the operating system, but not locally > user-installed fonts. Web fonts and the common set of web-safe fonts, > as well as other OS-bundled fonts, are still available." - > https://webkit.org/tracking-prevention/ > > > Tests: None. I believe that it is difficult to write tests for this > feature as it requires explicit configuration of test machines with > locally installed fonts. Manual testing has been performed. > > > Breakage: This could cause breakage. Because we are not excluding > langpacks right now, we think it will be minimal, but this exercise is > intended to validate that assumption. We are also designing a release > experiment to see how this affects various telemetry signals, such as > page refreshes or ETP opt-outs. (Opting out of ETP will disable the > restrictions, but this behavior is currently not easily discoverable. > We are brainstorming ways to detect and correct breakage automatically > or by prompting the user. Results of this prototype and release > experiment will determine how important those mechanisms are and how > they will be prioritized.) We'll have that telemetry in Nightly also, > but it's noisy and less representative. > > > Caveats: We determine if a font is a system or language pack font > based on a hardcoded list. We have no such list for Android, nor > Linux distros other than Ubuntu & Fedora. So those platforms will have > no change in behavior. The lists themselves are to some extent out of > date, we don't know how badly right now, but fixing them is in our > task queue. > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CADua4_uuG6UCPqDP6Gy_b9_YcVitZgc7zXUz4%2Bfim7jZBziFuA%40mail.gmail.com > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CAFjL7MJ7U-mReubYU8iV2y5Au76ecVHVe3pQZpM64cyWo%2BbNtQ%40mail.gmail.com.
