We intend to enable font visibility restrictions on Nightly in PBM
that will prevent all non-system, non-langpack fonts from being used
(and therefore detected) by websites. This will mitigate a large
source of entropy in a user's fingerprint. Caveats below.
Bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1826408
Specification: n/a
Standards Body: n/a
Platform coverage: It will apply on Windows, Mac, Ubuntu, and Fedora.
It will be enabled but non-functional on Android and other Linux
distros. (Meaning the pref will be ‘true’, but it won’t do anything.)
Preference:
A value of 3 means unrestricted font access. 2 means System and
Langpack fonts, and 1 means system fonts only.
layout.css.font-visibility.standard controls the behavior for all windows
layout.css.font-visibility.trackingprotection controls the behavior
for sites with ETP enabled
layout.css.font-visibility.private controls the behavior in PBM
As part of this work, we will be setting
`layout.css.font-visibility.private` to 2 to restrict font visibility
in Nightly private windows.
DevTools: A console message will be logged upon a font being blocked.
However while filing
https://bugzilla.mozilla.org/show_bug.cgi?id=1826419 I noticed this
may not work in all instances.
Blink: I'm not aware of Blink doing anything in this space.
WebKit: "font availability [in] web content [only includes] web fonts
and fonts that come with the operating system, but not locally
user-installed fonts. Web fonts and the common set of web-safe fonts,
as well as other OS-bundled fonts, are still available." -
https://webkit.org/tracking-prevention/
Tests: None. I believe that it is difficult to write tests for this
feature as it requires explicit configuration of test machines with
locally installed fonts. Manual testing has been performed.
Breakage: This could cause breakage. Because we are not excluding
langpacks right now, we think it will be minimal, but this exercise is
intended to validate that assumption. We are also designing a release
experiment to see how this affects various telemetry signals, such as
page refreshes or ETP opt-outs. (Opting out of ETP will disable the
restrictions, but this behavior is currently not easily discoverable.
We are brainstorming ways to detect and correct breakage automatically
or by prompting the user. Results of this prototype and release
experiment will determine how important those mechanisms are and how
they will be prioritized.) We'll have that telemetry in Nightly also,
but it's noisy and less representative.
Caveats: We determine if a font is a system or language pack font
based on a hardcoded list. We have no such list for Android, nor
Linux distros other than Ubuntu & Fedora. So those platforms will have
no change in behavior. The lists themselves are to some extent out of
date, we don't know how badly right now, but fixing them is in our
task queue.