Intent to Prototype: Limiting Access to Local Fonts

[Chromestatus]

Contact emails

ta...@google.com, riz...@google.com

Explainer

https://github.com/explainers-by-googlers/limiting-local-fonts-access?tab=readme-ov-file

Specification

None

Summary

Limits the fonts websites can use to only the default system fonts installed by the operating system. The unique set of locally installed fonts can be used for cross-site user tracking by measuring the side-effects of font rendering. By restricting user-installed font access, we aim to improve user privacy.

Blink component

Blink>Fonts

Motivation

Users have unique font collections on their devices, and this uniqueness can be exploited to track them across the web by analyzing font rendering. This undermines user privacy by allowing websites to re-identify individuals. To mitigate this privacy risk, a solution is needed to limit websites' access to a user's set of locally installed fonts. Recent CSS working group discussions have also brought up the idea of prescribing user agents to not expose user-installed fonts on the web as a privacy protecting measure. These measures mirror Safari’s approach of limiting local font availability by restricting to fonts that are bundled with the operating system by default.

Initial public proposal

https://github.com/explainers-by-googlers/limiting-local-fonts-access

TAG review

None

TAG review status

Pending

Risks

Interoperability and Compatibility

None

Gecko: Shipped/Shipping (https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting#:~:text=Enable%20Fingerprinting%20Protection%3A%20To%20control,Known%20fingerprinters%20and%20Suspected%20fingerprinters)

WebKit: Shipped/Shipping (https://webkit.org/tracking-prevention)

Web developers: No signals

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None

Debuggability

None

Is this feature fully tested by web-platform-tests?

No

Flag name on about://flags

None

Finch feature name

None

Non-finch justification

None

Requires code in //chrome?

False

Estimated milestones

DevTrial on desktop

138

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5185489285677056?gate=5188393555984384

This intent message was generated by Chrome Platform Status.

[Ashley Gullen]

Presumably this does not affect the Local Font Access API (queryLocalFonts())? Once that method has resolved will the returned fonts then be allowed to be used in font rendering?

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/67edade5.170a0220.2d63e1.0a6e.GAE%40google.com.

[Mike Taylor]

That seems to be covered in a few places in the explainer, but most clearly at https://github.com/explainers-by-googlers/limiting-local-fonts-access?tab=readme-ov-file#limiting-to-local-fonts-will-break-my-application-what-should-i-do

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAABs73hDOiXbEBdE%3DBj%2Bh_4AZjOCaszW_u2xKKehfsRQE%3DScyA%40mail.gmail.com.

[Jeffrey Yasskin]

I see (in your explainer) that the CSSWG is working on this problem in https://github.com/w3c/csswg-drafts/issues/11753. Even though we have the 'explainers-by-googlers' space available for early projects, it's better to do widely-agreed work in established CGs and WGs. Can you move this explainer into the CSS repository and work on it with the WG, or is there some reason you think that would slow down its progress toward cross-browser consensus?

Thanks,

Jeffrey

--

[Kevin Babbitt]

Hello,

 

Is there a crbug tracking implementation of this feature?

 

Thanks

Kevin

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/09f7c28a-9062-4d88-919b-ebbdd0dfc466%40chromium.org.