Even though fonts don't load as instructed, they are still leaking

[RoxKilly]

@gorhill,

Even after disabling all remote fonts, I am still unable to prevent browserleaks.com tests from seeing the fonts installed on the machine, so font information is still leaking.

My setup before uBlock.o. In Firefox Options >> Content Settings >> Advanced settings, I unchecked "Allow pages to choose their own fonts". Running the test at http://www.browserleaks.com/fonts (javascript ON) showed no font leakage.

I installed uBlock.o and noticed that none of the icons were displayed. So I returned to FF settings and checked "Allow pages to choose their own fonts". Font info leaked as expected. I then added the rule "no-remote-fonts: * true" and restarted the browser. The uBlock.o UI is updated to show that fonts are blocked, however the browserleaks test can still see the fonts installed. What am I missing?

(fonts blocked globally from "My Rules")

[gorhill]

Thta page is not about downloading fonts, it detects your system fonts, as pointed out at the top of the page:

It's simple. Different OS versions has its own fonts sets, some programs like Office and Photoshop installs new fonts to the system, many advanced users installs custom fonts

At the bottom there is a link to an explanation of how it work: http://www.lalit.org/lab/javascript-css-font-detect/.

You get the same result when turning off gfx.downloadable_fonts.enabled, so I don't know why you think there is an issue with the no-remote-fonts switch.

[gorhill]

Disabling javascript is what works to address "font leakage" and a whole lot of other fingerprinting techniques.

[ghost]

Just a note: the setting mentioned by @RoxKilly ("Allow pages to choose their own fonts") is actually browser.display.use_document_fonts, and setting this to 0 does stop that page from discovering local fonts, even while JavaScript is enabled.

That setting isn't meant to disable remote fonts specifically though - it's more of an accessibility setting.

[gorhill]

is actually browser.display.use_document_fonts

I see... The switch to toggle remote fonts was to address #15, so here that would be an entirely different issue, which is bugzilla 789788.

[RoxKilly]

@gorhill. Thank you for your response. I'm a bit confused. Isn't the no-remote-fonts switch meant to enhance privacy? If so, doesn't this info leak defeat the switch? Maybe I am way off on what the switch is meant to do? What is the problem that disabling fonts download is meant to solve?

[gorhill]

Isn't the no-remote-fonts switch meant to enhance privacy?

It's meant to be used in place of disable-remote-fonts and gfx.downloadable_fonts.enabled.

Probably the primary purpose and main benefit for turning off remote fonts is security. The privacy aspect is marginal I gather, as not contacting a 3rd-party servers to download fonts is a good thing privacy-wise, though I suppose it is likely that the same remote servers from where fonts are fetched are also used for fetching other kind of resources.

The privacy aspect is really best taken care of by using default-deny, which is also true for your case: fingerprinting is something 3rd parties will do on web pages, and in such case, default-deny is again the best approach, as it foils all sort of fingerprinting attempts by 3rd parties -- not just one specific like the font information leak.

[RoxKilly]

@gorhill OK that makes sense. You are probably already aware of this but just in case you're not I'll mention that your reliance on the FontAwesome font file to render icons currently makes your app unusable to Firefox users who use standard fonts by unchecking "Allow pages to choose their own fonts" or setting browser.display.use_document_fonts to 0 in order to defeat font fingerprinting. Interestingly, the Panopticlick project found that fonts are second only to plugins in how well suited they are to fingerprints (https://wiki.mozilla.org/Fingerprinting).

Thanks for taking the time to clear up my confusion