font whitelist means we don't have to set gfx.downloadable_fonts.fallback_delay

In 8455, "gfx.downloadable_fonts.fallback_delay" was set to -1 to avoid temporarily rendering a local font, which would allow its characters to be measured. But now that we whitelist fonts, it is probably OK to stop setting this pref. We should confirm that the fallback mechanism doesn't provide a whitelist bypass.

added component::applications/tor browser in Legacy / Trac ff60-esr in Legacy / Trac owner::tbb-team in Legacy / Trac priority::medium in Legacy / Trac severity::normal in Legacy / Trac status::new in Legacy / Trac tbb-fingerprinting-font in Legacy / Trac type::defect in Legacy / Trac labels

legacy/trac#8455 (closed), tbb-fingerprinting-fonts. For fingerprinting purposes gfx.downloadable_fonts.fallback_delay_short is available ;)

Trac:
Username: fixtbb

moved from legacy/trac#27258 (moved)

added Bug label and removed 1 deleted label

added Fingerprinting label and removed 1 deleted label

@pierov Font label please ... and/or action + close

I see no reason for the pref override. First we have local async font fallback mapping, and we already limit fonts via whitelist. I fail to see how a downloadable font would leak anything new here. Regardless of whitelisting, any fingerprint can't leak any more than not using any downloadable fonts. This method is flawed

FYI: the pref default is 3000

We should confirm that the fallback mechanism doesn't provide a whitelist bypass.

I think this is the key, but I expect Firefox to behave correctly.

I don't get it. The downloadable font adds nothing to entropy.

• Test 1: no download font: something renders as tofu (or uses a default font?), then maybe async falls back to a whitelisted font (this async fallback map is session only and then in memory, so it only works on the first instance of the char)
• Test 2: dwownload font: does all the above and then measures a downloadable font

Test 2 doesn't add anything? Maybe I'm missing something here

I think the test would be: use a very big font, and/or delay the download somehow.

In the meantime, a fallback font is used. Can the fallback font be outside the allowed list?

If so, it would be a Firefox's bug, imho, but I think this was Arthur's concern here.

and/or delay the download somehow

another reason this delay is not a solution. delaying the download font is easy (or you know, just don't specify a download font :lightbulb:). The app is going to render what it renders. You can't hide that. As Arthur says, with whitelisting, we now control what renders.

Can the fallback font be outside the allowed list

No. If it did that would be a bug with whitelist or font*visibility (There are some system fonts you can't block)

So then if I'm understanding the discussion correctly, we should get rid of this pref (assuming we haven't already)

!425 (merged)

added Fonts label

added Icebox label

removed Icebox label

added Backlog label

removed Backlog label

changed milestone to %Sponsor 131 - Phase 3 - Major ESR 102 Migration

assigned to @richard

added Doing Q4 labels

added Sponsor 131 label

added Backlog label and removed Doing label

added Next label and removed Backlog label

mentioned in merge request !425 (merged)

marked this issue as related to tor-browser-build#40627 (closed)

added Doing label and removed Next label

removed the relation with tor-browser-build#40627 (closed)

marked this issue as related to tor-browser-build#40668 (closed)

closed

reopened

mentioned in issue #40783 (closed)

closed