FontFace API doesn't respect font fingerprinting protection in workers
Categories
(Core :: Privacy: Anti-Tracking, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox144 | --- | fixed |
People
(Reporter: fkilic, Assigned: fkilic)
References
(Blocks 1 open bug)
Details
Attachments
(1 file, 1 obsolete file)
While I was testing bug 1937096, I realized FontFace also doesn't protect against font fingerprinting. See at https://abrahamjuliot.github.io/fpworker/ (fonts loaded is FontFace API, and fonts detected is the offscreen measure text)
I'll also submit a smaller POC
Assignee | ||
Comment 1•6 months ago
|
||
Running
const blobURL = URL.createObjectURL(
new Blob(
[
"self.addEventListener(",
"'message',",
"async function (e) {",
" const font = e.data;",
" const fontFace = new FontFace(font, 'local(\"' + font + '\")');",
" await fontFace.load();",
" self.postMessage({",
" font: font,",
" status: fontFace.status,",
" });",
"});",
],
{ type: "application/javascript" }
)
);
const worker = new Worker(blobURL);
worker.onmessage = console.log;
worker.postMessage("Roboto")
on my OSX machine returns fulfilled, but running
async function tryLoadingFont(e) {
const font = e.data;
const fontFace = new FontFace(font, 'local("' + font + '")');
await fontFace.load();
return { font: font, status: fontFace.status };
}
await tryLoadingFont("Roboto")
Correctly fails loading the font
Assignee | ||
Comment 2•6 months ago
|
||
I assume here we don't have pres context in workers. Luckily, we now have an not-so-much-of-an-interface-but-almost-an-interface called FontVisibilityProvider. All we have to do is extend it for workers! (though I would also really like to fix the "almost-an-interface" by turning this into an actual base class and extending it for types rather than storing bunch of null ptrs and one non-null ptr inside one class)
Assignee | ||
Comment 3•6 months ago
|
||
Assignee | ||
Comment 4•6 months ago
|
||
Updated•6 months ago
|
Updated•6 months ago
|
Updated•6 months ago
|
Updated•2 months ago
|
![]() |
||
Comment 6•2 months ago
|
||
Assignee | ||
Updated•1 months ago
|
Updated•21 days ago
|
Updated•18 days ago
|
Description
•