Closed Bug 1885258 Opened 11 months ago Closed 11 months ago

Remove the IsHidden Exemption for Font Allowlist

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
126 Branch
Tracking Flags:
Tracking Status
firefox126 --- fixed

People

(Reporter: tjr, Assigned: tjr)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

Bug 1885258: Hidden fonts should obey the allow list r?jfkthame
48 bytes, text/x-phabricator-request
Details | Review
Fonts starting by period in macOS: Firefox (without any particular config), Chrome and Tor Browser
143.51 KB, image/png
Details

In this patch Tor Browser removes an exemption that allows Hidden Fonts to bypass the whitelist (font.system.whitelist). That's because that behavior specifically causes Gill Sans to leak through for them in certain situations because we do a weird thing for them.

I see the Hidden exemption was added in this patch. I'm not certain, but it seems like the purpose of it is something to effect of "Allow this font to be used by the browser, but not a font that can be chosen and used by websites".

But I don't understand why would we add these Hidden Fonts (like .LastResort) to the whitelist if we want them to be invisible to websites, because when the whitelist is active, the visibility rules (like Hidden) are ignored.

Code Archaeology tells me the Visibility Restriction || Whitelist was added here in Aug 2020; while the Hidden is automatically added to the whitelist was added here in April 2020.

So: I think this patch is correct...? And is Tor Browser the only consumer of the whitelist pref? (We have no code coverage for it.) If so, it seems safer in terms of us uplifting it, since they already did.

Ref:

Assignee: nobody → tom
Status: NEW → ASSIGNED

Hi Tom, thanks for taking the patch also to Firefox!

But I don't understand why would we add these Hidden Fonts (like .LastResort) to the whitelist if we want them to be invisible to websites, because when the whitelist is active, the visibility rules (like Hidden) are ignored.

Before implementing the patch, I checked on a macOS system, and it seems LastResort will be always ignored, even when using the version without the initial period.
In general, Firefox will ignore all the fonts starting with period on macOS.
I'm attaching a screenshot with Firefox on the top left, Chrome on the top right, Tor Browser in the bottom.

Severity: -- → S3
Pushed by tritter@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/31180e61e4e3 Hidden fonts should obey the allow list r=jfkthame

https://hg.mozilla.org/mozilla-central/rev/31180e61e4e3

Status: ASSIGNED → RESOLVED
Closed: 11 months ago
status-firefox126: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 126 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: