Re: [csswg-drafts] [css-fonts] incorporate mitigations for font based fingerprinting (#4055)

The performance cost of the _fix_ is that people would end up downloading web fonts that they don't actually need (because they already have the font installed on their system).

E.g., I have most common Google Fonts installed, and one of the reasons I did that was to cut down on web font downloads. If we prevent browsers from using those custom installed fonts, there will be a performance cost to me (more data usage and slower page loading) when visiting sites that use these fonts.

How many people this will affect, and to what degree, I can't say.  Some browsers give users the option to turn off web font downloads altogether, which would negate the performance impact but increase the impact on user experience.  E.g., turning off web fonts might not be a good solution for people whose pre-installed system fonts don't offer a lot of choice for the languages/scripts they use.

The performance impact of malicious scripts is a separate issue altogether.  I was using the example of switching fingerprint methods to emphasize that we can't expect that fixing the fingerprinting vector will have a net performance benefit on malicious sites.  Malicious sites generally don't care about user data plans.

-- 
GitHub Notification of comment by AmeliaBR
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/4055#issuecomment-510166434 using your GitHub account

Received on Wednesday, 10 July 2019 18:00:45 UTC