Remove fonts from the default font lists that the majority of people do not have
Categories
(Core :: Privacy: Anti-Tracking, task)
Tracking
()
People
(Reporter: tjr, Assigned: tjr)
References
(Blocks 2 open bugs)
Details
Attachments
(1 file, 1 obsolete file)
|
78.62 KB,
image/jpeg
|
Details |
winfontdir.jpg
The fingerprinting data collection has shown that >95% of people do not have the fonts in these patches. We will use another bug in the future (no plans presently) to add fonts, and potentially another patch to provide per-version granularity on font lists.
|
Assignee | |
Updated•10 months ago
|
|
|
Assignee | |
Updated•10 months ago
|
|
|
Assignee | |
Comment 1•10 months ago
|
||
This patch became more difficult to write as I worked on it more, so I've scaled it back to a very simple version that merely removes base windows fonts that 95%+ of people do not have.
Follow-up patches can:
- Target Linux where the majority of users are lacking many fonts in the allowlist
- Target MacOS, by creating separate lists per MacOS version where there is a noted step function in font availability
- Target Windows LangPack fonts by detecting the user's locale and only allowing a font when the associated locale to that font is the user's locale
|
|
Assignee | |
Comment 2•10 months ago
|
||
|
||
Updated•10 months ago
|
|
||
Updated•10 months ago
|
|
||
Comment 3•10 months ago
|
||
IDThink this is going to work as expected as the fonts listed are font-families, not individual font names/files. For example, Arial Narrow isn't listed, but is detected - the same is going to happen whether or not you list Arial Black. Let's see.
Also, what makes you think 95% of windows users do not have these? These are core windows fonts in 10 and 11 - the fact that they are all weighted makes me think your data collection method may be at fault here (I have no idea how you got your list - with a FPing test or directly from the platform)
|
|
Assignee | |
Comment 4•10 months ago
|
||
Thanks for flagging Thorin - we did collect directly from the system, but very possible something went weird, I will investigate.
|
|
||
Comment 5•9 months ago
|
||
IDK if this helps - but windows likes to report/display fonts in families (not sure if I'm using the right word). And you need to open the entry to see the individual ttf etc files.
https://learn.microsoft.com/en-us/windows/win32/api/wingdi/nf-wingdi-enumfontfamiliesexw
from stackoverflow
to get all of the individual faces—with multiple faces per family—then you need to call recursively within the
EnumFontFamiliesExProccall back, passing the family name aslfFaceNameon the inner loop
|
|
||
Updated•9 months ago
|
|
|
Assignee | |
Comment 6•9 months ago
|
||
I still need to follow up on the above, but my initial crack at this was based on some flawed approaches and data. I've refocused the analysis on 10 fonts that are used by a prominent fingerprinter that the majority of users do not have. If we remove those 10 fonts (leaving 5 other fingerprinted fonts that the majority of users do have) we see a significant improvement in users' fingerprinting protection.
The problem is that many of them are language fonts that are very heavily prevalent in certain locales. So I think what we need to do is to add a locale-based aspect to the LangPack font list.
For simplicity's sake, I envision the first version of this will optionally include associated locales, and limit the font if the user's font does not match any of the associated locale, and allow it through if it does match, or the locale list is not present.
In the future we could pursue associating all LangPack fonts with locales.
|
|
||
Comment 7•9 months ago
|
||
a locale-based aspect to the LangPack font list
so something like Bug 1795460 ? IIUIC Safari does this - not locale per se but more of a regional thing, but they control the OS to make it work
10 fonts (leaving 5 other
Can you share those font names in private? The 10 (mostly optional/regional/langpack?) fonts aren't a bundle (i.e users won't all have all of them) so whilst it does help the fingerprint for those without the locales in question, it doesn't improve it for those with the locales in question. Additionally, users will start to report tofu (not sure what the fonts are, but I can guess).
|
|
Assignee | |
Comment 8•9 months ago
|
||
Yes, exactly Bug 1795460 - now I can attach my patches there :)
Nothing you can't find if you dig: here's the lists - the overlap (14, not 15) is:
arabic typesetting
batang
calibri
leelawadee
levenim mt
marlett
meiryo ui
microsoft uighur
ms mincho
ms ui gothic
pmingliu
segoe ui light
simhei
vrinda
The 4 I originally expected to leave is
"calibri",
"marlett",
"microsoft uighur", // surprisingly on 38% of (all) users machines
"ms ui gothic",
But with a per-langpack approach, I will re-evaluate all of these fonts (and if I have time, the variant a/b lists as well)
|
|
||
Comment 9•9 months ago
|
||
Hah! That was exactly the list (minus segoe ui light, because it's weighted) that I got from the basic FPJS (https://fingerprintjs.github.io/fingerprintjs/) which was the first script I thought of based on your earlier comments (I have all fonts possible)
https://learn.microsoft.com/en-us/typography/fonts/windows_11_font_list
- e.g.
calibriandleelawadee(it's notleelawadee UIdespite the docs) are supposed to be "core fonts" - i.e shipped with windows 11 (and 10) - didn't re-check any more. I know some fonts were removed in the last major windows 11 update.
Seems highly unlikely large % of users remove these themselves. I'm really surprised by calibri. Maybe the docs are not fully representative of all regional installs?
microsoft uighur", // surprisingly on 38% of (all) users machines
that's an arabic supplemental
|
||
Updated•8 months ago
|
|
|
Assignee | |
Updated•15 days ago
|
Description
•