Bug 41116: Normalize system fonts.

System fonts are an enormous fingerprinting vector. Even with font allow lists and with our custom configuration on Linux, which counter metrics measurements, getComputedStyle leaks several details. This patch counters both these kinds of attacks.

Bug 41116: Normalize system fonts.
0fb789f4 · Pier Angelo Vendrame · 26762bb9 · 0fb789f4 · 0fb789f4
Verified Commit 0fb789f4 authored Sep 19, 2022 by Pier Angelo Vendrame
--- a/gfx/thebes/gfxPlatformFontList.cpp
+++ b/gfx/thebes/gfxPlatformFontList.cpp
@@ -1917,6 +1917,14 @@ static void GetSystemUIFontFamilies([[maybe_unused]] nsAtom* aLangGroup,
  nsFont systemFont;
  gfxFontStyle fontStyle;
  nsAutoString systemFontName;
+  if (nsContentUtils::ShouldResistFingerprinting()) {
+#ifdef XP_MACOSX
+    *aFamilies.AppendElement() = "-apple-system"_ns;
+#else
+    *aFamilies.AppendElement() = "sans-serif"_ns;
+#endif
+    return;
+  }
  if (!LookAndFeel::GetFont(StyleSystemFont::Menu, systemFontName, fontStyle)) {
    return;
  }

--- a/layout/base/nsLayoutUtils.cpp
+++ b/layout/base/nsLayoutUtils.cpp
@@ -9671,7 +9671,47 @@ void nsLayoutUtils::ComputeSystemFont(nsFont* aSystemFont,
                                      const Document* aDocument) {
  gfxFontStyle fontStyle;
  nsAutoString systemFontName;
-  if (!LookAndFeel::GetFont(aFontID, systemFontName, fontStyle)) {
+  if (aDocument->ShouldResistFingerprinting()) {
+#if defined(XP_MACOSX)
+    systemFontName = u"-apple-system"_ns;
+    // Values taken from a macOS 10.15 system.
+    switch (aFontID) {
+      case LookAndFeel::FontID::Caption:
+      case LookAndFeel::FontID::Menu:
+        fontStyle.size = 13;
+        break;
+      case LookAndFeel::FontID::SmallCaption:
+        fontStyle.weight = gfxFontStyle::FontWeight(700);
+        // fall-through
+      case LookAndFeel::FontID::MessageBox:
+      case LookAndFeel::FontID::StatusBar:
+        fontStyle.size = 11;
+        break;
+      default:
+        fontStyle.size = 12;
+        break;
+    }
+#elif defined(XP_WIN) || defined(MOZ_WIDGET_ANDROID)
+    // Windows uses Segoe UI for Latin alphabets, but other fonts for some RTL
+    // languages, so we fallback to sans-serif to fall back to the user's
+    // default sans-serif. Size is 12px for all system fonts (tried in an en-US
+    // system).
+    // Several Android systems reported Roboto 12px, so similar to what Windows
+    // does.
+    systemFontName = u"sans-serif"_ns;
+    fontStyle.size = 12;
+#else
+    // On Linux, there is not a default. For example, GNOME on Debian uses
+    // Cantarell, 14.667px. Ubuntu Mate uses the Ubuntu font, but also 14.667px.
+    // Fedora with KDE uses Noto Sans, 13.3333px, but it uses Noto Sans on
+    // GNOME, too.
+    // In general, Linux uses some sans-serif, but its size can vary between
+    // 12px and 16px. We chose 15px because it is what Firefox is doing for the
+    // UI font-size.
+    systemFontName = u"sans-serif"_ns;
+    fontStyle.size = 15;
+#endif
+  } else if (!LookAndFeel::GetFont(aFontID, systemFontName, fontStyle)) {
    return;
  }
  systemFontName.Trim("\"'");