Variable font support can be used to fingerprint OS versions
In Tor Browser, the value of the layout.css.font-variations.enabled preference changes depending on the operating system version. For example, it is enabled on Windows 10 and disabled on Windows 7 and this can be detected with javascript.
It can be tested here:
https://privacycheck.sec.lrz.de/active/fp_je/fp_js_echo.html
When the preference is enabled, the font-optical-sizing and font-variation-settings properties will appear under HTML Elements.
Activity
@thorin :D
edit: nvm, misread OP
Edited by ThorinAll TB users per OS ship with the same defaults
The issue is that the defaults aren't the same. If your Windows version is older than Win10 1709, or macOS older than 10.5 etc. layout.css.font-variations.enabled is locked to false. So this preference leaks whether you are using a recent OS version or not. And worse that it doesn't require javascript to do so.
-
nvm, misread OP
Edited by Thorin -
If your Windows version is older than Win10 1709
https://en.wikipedia.org/wiki/Windows_10_version_history - the good news is we no longer support win7/8*
or macOS older than 10.5
https://en.wikipedia.org/wiki/MacOS_version_history#Releases
is that a typo and you meant 10.15? Anyway, the good news is macOS minimum support is now 10.15
Anyway, I think we can close this as no longer valid @pierov - the other option is to force it disabled on windows so we help hide the few (bad) perps using old versions of win10. We should double check what the code says about version support
Edited by Thorin 
We have a similar problem with Android <= API 23 (https://bugzilla.mozilla.org/show_bug.cgi?id=1845174).
I.e., we need Nougat (released in 2016) and a Windows 10 >= fall 2017.
The bar is kinda low, tbh.
-
yeah, you linked to this months ago
https://bugzilla.mozilla.org/show_bug.cgi?id=1845174#c14
disable variation fonts on such an old API version. This will potentially regress the rendering of sites that rely on such fonts for their desired styling, but in general most sites should have reasonable fallbacks in place.
most sites .. I don't think we should be disabling it to protect a few old OS versions/API
so I still think this is cantfix
android specific can likely be solved (nerd harder!) - see https://bugzilla.mozilla.org/show_bug.cgi?id=1845174#c18 - well, at least the crash part, not sure about entropy say in rendered glyph sizes
if we could ensure that our in-tree lib is always used, but I don't know how to do that at present
and the rest mentions how it was done in linux/gtk
so at the moment this now seems limited to old win10's (pre 2017, support ended Oct 2020 at best) and android 6 or lower?
-
so, turns out it is actually feasible to use variable fonts on non-supported OSes - but why anyone would bother given users should be uptodate (apologies android =< 6 owners), IDK
added Fingerprinting Fonts Sponsor 131 labels
changed milestone to %Sponsor 131 - Phase 2 - Privacy Browser
added Roadmap::Future label
-
I misread (and I am sick of fonts, just quietly): the pref differs across OS versions
- e.g.
layout.css.font-variations.enabledis locked false on windows 7
See FF61+ 1451296
So if the platform says "no, I can't do that", the CSS properties will remain disabled regardless of the setting of
layout.css.font-variations.enabled, and sites that use @supports will be able to handle fallback appropriately.For Windows, it's easy: only Fall Creators Update or later supports variations.
For macOS, there has been variation font support in Core Text for some time, but older versions are known to be fairly buggy. I'm proposing to support only 10.12 or later.
For Linux, the installed FreeType version is the key. Local testing suggests that 2.7.1 (released at the end of 2016) is a reasonable cut-off. There was some multiple-master/variation font support present in earlier versions, but there have been enough recent bug-fixes, including ones that directly affect our usage, that enabling it on earlier releases is not helpful.
(On Android, we use in-tree FreeType, so we know we're getting a recent version.)
So if we want to do anything about this, we would want to set the pref to false on all windows and linux @pierov I doubt it would break anything given 15% of the world is still buzzing around on windows 7, and 4% on linux, or whatever it is.
- e.g.
-
What do you mean by "variable fonts" and "static variants"? I'm now use your word "variants" from #41330 (closed) to describe those font-families. And I use the word face to describe "styles".
If you flip the pref in win 10 and restart, do you still leak in #41330 (closed) ?
-
What do you mean by "variable fonts" and "static variants"?
I didn't know what term to use, I really know that variant is not the correct one.
Variable fonts = the fonts embed information on how to produce a different "variant" along some axis (weight, slant, stretch, etc...), see some examples.
They are "recent", the old way of producing different weights was providing a font file for each weight, which is also called static fonts nowadays.
And since they are recent, their support is platform-dependent.
Still, the security level directly affects how much information is disclosed about the browser.
The description also mentions anonymity:
Disable certain web features that can be used to attack your security and anonymity
I just think that if you decide to keep it enabled on certain platforms, it makes sense to still disable it on the safest security level.
Just as an addition. This is a way you can test if a browser supports variable fonts using javascript
function checkVaribleFontSupport() { if ("CSS" in window === false || "supports" in CSS === false) { return false } return CSS.supports("(font-variation-settings: normal)") } const supportsVariableFonts = checkVaribleFontSupport() supportsVariableFonts ? console.log(true) : console.log(false);added Bug label
added All Platforms label
-
added Apps::Type::Bug label
added Apps::Impact::High label