Re: [w3c/permissions] A new permission for canvas data (#165)

Not quite. But I guess it possible to check the glyphs. But it's a one more fingerprint vector: unicode constantly updates, people want to get the latest glyphs, so the version of browser will be fingerprintable using glyphs. So I'm against the api to check glyphs.

The idea is not only to ship fonts, but to take a base font and measure its glyphs on every supported environment. So we get a tensor n environments * m glyphs in superset of glyphs all the used fonts * 2 (width and height). m_{i,j,k}, i is env, j is glyph , k is dimension indexes.

Then we compute the median over each glyph in measurements and get Me_{j, k}.
This table is serialized, standardized and shipped with each browser. When a user starts a browser, a browser does rendering and calculates the sizes of glyphs the same way the reference ones are obtained. Then it calculates the differences. Then it modifies the shipped font files in the direction which should eliminate the difference (gradient descent). Then repeats until convergence. Then it does the same with ligatures and kerning. After that the rendered font glyph sizes are considered similar enough to standardized ones. So for measuring we can return not the actual sizes, but the predicted ones. The prediction algorithm must be standardized, so every browser must return the same value. And this should not make much disturbance, because simulated dimensions should be close enough to the real ones. This is only relevant to glyph size fingerprinting I have used in that research. Canvas image data still mustn't be exposed.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/permissions/issues/165#issuecomment-353359553