If a font file is marked contentaccessible in the manifest, a website can now include it (via font-face). Before you couldn't include it via font-face. But I'm not sure if you could try to include via a img tag or something.
It would allow distinguishing major versions of TB probably, maybe minor versions if you were very meticulous and you had changed something with the font files.
It would allow distinguishing major versions of TB probably, maybe minor versions if you were very meticulous and you had changed something with the font files.
We usually ship fonts close to the end of the year for the about:tor customization.
So far we've always embedded them as data:// URIs.
We could switch to resource:// (if there's a way to allow only privileged pages to access them, IIRC about:tor is one, it has an actor to move data between processes for sure).
I don't know if there is a way to restrict it to privileged pages only, or maybe if privileged pages can override contentacessible=no - but I don't think they can.)
All in all, it sounds like unless you're adding fonts into a manifest this won't affect you negaitvely, and it might not be a feature you want to use if there are no drawbacks to your current approach
After reading Tom's comments, I think it isn't a problem for us, at least for now.
At most, something to remember and consider for cases such as YEC.
In the various omni.ja we include some fonts for PDF.js, but we (well, upstream) control them, so everyone will have the same, therefore they aren't a fingerprinting vector.
Moreover, these fonts aren't accessible to (unprivileged?) content, I wrote a small test, and it didn't display the embedded font.