--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPAf0porRkMGBo1VuCVSQZQJwHgAUb2q4D1WrJg5oXm%3DyhrjEg%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/op.z6w9xyy9rbppqq%40cicero2.linkoping.osa.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAABs73gDn3X0BtL2YMwfDSXMV9TYEreXMsfK%2B69aBS7Oy9Fy5Q%40mail.gmail.com.
How would it work for a site that has both user tracking and creation tools? For instance, Google has both the ad network and Google Docs, would approving the use of local fonts to Google Docs also make the user easily trackable?
Last I checked, Safari doesn't even allow web pages to _use_ local fonts outside a small whitelist, to reduce fingerprinting surface. I suspect they would not be on board with this new API, again outside the small whitelist.
In general, the fingerprinting angle here probably needs some thought.
-Boris
On 8/21/19 2:48 PM, Chase Phillips wrote:
c...@chromium.org,jsb...@chromium.org https://github.com/inexorabletash/font-enumeration TBD https://github.com/w3ctag/design-reviews/issues/399 Today, no API exists to provide a list of local fonts to web applications. The proposed font enumeration API gives web applications the ability to enumerate local fonts along with a small amount of metadata about each font. Font enumeration is a missing capability that has prevented modern web apps from making full use of the web platform. Web apps that want to work with local fonts require the user to upload them to a server first. In some cases, web apps ask users to install a separate local program that provides additional capabilities like font enumeration and offers local fonts as a WebFont in order to work around this missing API. The font enumeration API will let a web app get access to a list of local fonts and some metadata without requiring these workarounds.--This API has been designed to support feature detection to allow applications to gracefully degrade based on the capabilities different user agents offer. If this feature were removed from the platform, sites would lose the ability to enumerate local fonts but otherwise are expected to continue to function. Web / Framework developers: Firefox: No public signals Edge: No public signals Safari: No public signals Web developers: Strongly positive (https://crbug.com/535764#c2) Very positive support from web applications that interact with local fonts, such as Figma. This feature will frequently be used in tandem with the Font Table Access API, which is another newly proposed API. We expect font enumeration to be useful even without table access, which is why they are being proposed separately. Developers will be able to take advantage of this feature immediately since it uses the same available local fonts that other native applications have access to. The API makes it possible to add a font picker (either UX-driven or algorithmic) and API usage will see more traction once popular UI libraries build font pickers on top of it. The API provides access to table data in local fonts which can expose additional information about a user's installed configuration to a web application. This new API is behind a permission prompt, making this an active fingerprinting target. See the TAG review's security and privacy questionnaire for more info: https://github.com/inexorabletash/font-enumeration/blob/master/security-privacy.mdNo special considerations. Yes All Blink platforms make use of local fonts, so this feature is useful on all platforms. No TBD https://www.chromestatus.com/feature/6234451761692672
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blin...@chromium.org.
On Fri, Aug 23, 2019 at 4:44 AM Chase Phillips <c...@chromium.org> wrote:On Thu, Aug 22, 2019 at 7:31 PM Chase Phillips <c...@chromium.org> wrote:Thanks for your feedback so far, Daniel, Ashely, and Emil.On Thu, Aug 22, 2019 at 4:52 AM Daniel Bratell <bra...@opera.com> wrote:How would it work for a site that has both user tracking and creation tools? For instance, Google has both the ad network and Google Docs, would approving the use of local fonts to Google Docs also make the user easily trackable?Hi Daniel, the requested permission is origin-scoped.For other powerful APIs, we've ensured the APIs are only available from the top-level context through a feature policy.We can commit to that restriction here so only the document whose URL is being displayed will be granted the permission by default. I'll update the explainer.I should also mention that one of our goals restricts this API to secure contexts. By combining that goal, granting permission only in top-level frames by default, and using feature policy to delegate, this will in part ensure that we're consistent with the rest of the platform.For specifics about how we might time or usage-limit access, we defer that to improvements to the Permissions API.Hi, just wanted to make sure this will go through privacy + security review once it's ready.
This does look like it's all on the right track, and I suspect with a user permission we have adequate protection against the fingerprinting risks. It's hard to be sure without having all the pieces in place, though.
One (minor) nitpick on the priv + sec questionnaire: For "incognito mode", this considers as an alternative an anonymous, fixed set of fonts. That reduces fingerprinting at the expense of creating an Incognito-distinguisher, which might not be a good bet. It's likely better to also ask for permission there.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CALG6KPNDNHjJHT2QcN7%3DE6ebCmSMFcnV2b%2BxLRAOETay-eUSxg%40mail.gmail.com.
That's a good point and something we'll get added to the explainer. The API is designed to provide UAs the ability to filter the provided list, particularly in a "low trust" or "low engagement" mode. Like most of these APIs, UA's can also auto-deny the ability to request the permission -- hence the asynchronous permission request.
Last I checked, Safari doesn't even allow web pages to _use_ local fonts outside a small whitelist, to reduce fingerprinting surface. I suspect they would not be on board with this new API, again outside the small whitelist.
One (minor) nitpick on the priv + sec questionnaire: For "incognito mode", this considers as an alternative an anonymous, fixed set of fonts. That reduces fingerprinting at the expense of creating an Incognito-distinguisher, which might not be a good bet. It's likely better to also ask for permission there.