[csswg-drafts] [css-fonts] limit local fonts to those selected by users in browser settings (or other browser chrome) (#4497)

snyderp has just created a new issue for https://github.com/w3c/csswg-drafts:

== [css-fonts] limit local fonts to those selected by users in browser settings (or other browser chrome) ==
This issue is lifting a proposal to prevent font fingerprinting that was discussed in PING, but i think go buried in the longer conversation in https://github.com/w3c/csswg-drafts/issues/4055

What if the standard didn't put any limitations on what the page could access as `local fonts`, but required local fonts to be _specifically, intentionally_ loaded into the browser, instead of defaulting to any and all fonts it could find.  Browsers would then implement chrome / settings / something to allow users to load fonts into the browser (independent of the fonts the user has added to the OS), and only these fonts would be included in the "local fonts" part of the current algorithm.

To use the helpful taxonomy / organization given by @hsivonen in https://github.com/w3c/csswg-drafts/issues/4055#issuecomment-536169515, this would dramatically improve privacy for users in groups 1, 2, 3, moderately improve* privacy for users in groups 4, 5, 6 w/o harming their use cases, and preserve what people in group 7 are trying to do.

* I say moderately because it would reduce the number of fonts identifiable by fingerprinters, and so increase the size of these users' anonymity sets.

I believe this proposal would cut the knot in issue https://github.com/w3c/csswg-drafts/issues/4055 by completely removing the fingerprinting surface for many (most?) users and improve privacy for remaining users (w/o impacting their goals and needs).

Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/4497 using your GitHub account

Received on Thursday, 7 November 2019 21:54:11 UTC