Re: [csswg-drafts] [css-fonts] limit local fonts to those selected by users in browser settings (or other browser chrome) (#4497) from Henri Sivonen via GitHub on 2019-12-12 (public-css-archive@w3.org from December 2019)

From: Henri Sivonen via GitHub <sysbot+gh@w3.org>
Date: Thu, 12 Dec 2019 11:25:07 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-564967280-1576149906-sysbot+gh@w3.org>

> I'm also concerned this proposal would make fingerprinting worse because users would unintentionally select random different subsets of fonts.

Yeah, having users choose a set of fonts makes no sense for the purpose of avoiding fingerprinting.

> I suspect that on macOS, iOS, and Android, it's pretty clear.

Sadly, as @jfkthame pointer out, it's not that clear on macOS. However, having the browser block the optionally-downloaded macOS-bundled fonts is likely to be feasible in terms of the resulting user experience. That is, blocking the optional fonts of macOS is probably less likely to result in complaints from users than blocking the Windows 10 and Ubuntu fonts that aren't part of the base set but get installed as a side effect of certain languages.

> browsers would have to maintain their own per distribution list, which isn't scalable.

It's not scalable, but it could work for most users to cover Fedora, Ubuntu, and potentially openSUSE (I haven't looked at the openSUSE font situation). Even though Debian is a major distro, the Debian approach of leaving so much of the configuration to the user makes it infeasible for the browser to try to normalize the configuration as it's visible to the Web.

AFAICT, the situation with Fedora is clearer than with Mac: There one pretty good set of fonts: enough to cover the stylistic needs of what the Web uses generically without offering too much to take too much disk space. Ubuntu has the same problem as Windows 10, though: The base set is stylistically a little bit too narrow for some major languages, and "Adding a language" installs fonts such that the set of added languages serves as a fingerprint.

> On Android, it's also less than clear, I think: in my experience, many device manufacturers or distributors customize the collection of fonts they ship, so that there is not a uniform set of fonts per Android version

Do any remove any fonts from the set that one would get on a Pixel or Android One phone?

-- 
GitHub Notification of comment by hsivonen
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/4497#issuecomment-564967280 using your GitHub account

Received on Thursday, 12 December 2019 11:25:09 UTC