Closed Bug 1855706 Opened 8 months ago Closed 8 months ago

When "Enhanced Tracking Protection" is Strict, the font specified in the settings is not used

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
Firefox 119
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: sarubo2016, Unassigned)

Details

Attachments

(1 file)

settings and result
393.74 KB, image/png
Details
Attached image settings and result

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0

Steps to reproduce:

Navigator.userAgent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0"
Firefox: Firefox Developer Edition (x64 ja), 119.0b2 (64 bit)
OS: Windows 10 Home, 22H2

  1. Visit about:preferences#privacy
  2. Enhanced Tracking Protection: Standard -> Strict
  3. Visit about:preferences#general
  4. Change fonts from default. ex. Default(Meiryo) -> Noto Sans CJK JP
  5. View simple pages such as Wikipedia( https://ja.wikipedia.org/wiki/Mozilla_Firefox ) where the font specification is "sans-serif", or uncheck "allow pages to choose their own fonts, instead of your selections above" from the font settings and view any page.

Actual results:

Arial and Meiryo are used on the page you visit.

  • I confirmed that it also reproduces with a new profile on another Windows machine.
  • If you specify sans-serif in userChrome.css, you are not affected by this issue.

Expected results:

The page you visit uses the font you set, such as Noto Sans CJK JP.

  • If you specify sans-serif in userChrome.css, you are not affected by this issue.
  • If you specify sans-serif in userChrome.css, UI made with userChrome.css are not affected by this issue.

The Bugbug bot thinks this bug should belong to the 'Core::Layout: Text and Fonts' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Layout: Text and Fonts
Product: Firefox → Core

This is the expected behavior with strict tracking protection. Noto Sans CJK JP is not a standard font on Windows, so if we allow it to be used for web content, sites can detect that you have a non-standard font installed and use this as a bit of "fingerprinting" information to identify and track you.

Moving this to DOM::Security, which I believe is the component responsible for anti-tracking; but I think this is working as intended, not actually a bug to be fixed.

Component: Layout: Text and Fonts → DOM: Security

https://www.mozilla.org/en-US/firefox/119.0beta/releasenotes/

The visibility of fonts to websites has been restricted to system fonts and language pack fonts in ETP strict mode to mitigate font fingerprinting.

After receiving the explanation, I looked at the Release Notes again and found that it had been written about this. This issue was completely my fault.
Personally, I'm not happy about not being able to freely choose the font, but I've learned that it's the correct behavior. Therefore, this issue will be closed.

Status: UNCONFIRMED → RESOLVED
Closed: 8 months ago
Resolution: --- → INVALID

If you want to disable just this specific feature of tracking protection, I believe you can do this by going to about:config and setting the privacy.fingerprintingProtection.overrides preference to -FontVisibilityLangPack (note the initial hyphen).

I'm glad to know this information. Thank you very much.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: