- From: KOLANICH <notifications@github.com>
- Date: Mon, 25 Jun 2018 23:46:31 -0700
- To: w3c/permissions <permissions@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/permissions/issues/165/400197792@github.com>
>But I don't understand, why are you talking specifically about Canvas (you even have it in the title of this issue). The "attacker" can make a Hello element, set various fonts with CSS, and measure the result using Element.getClientBoundingRect(), and get the list of fonts this way. >nobody cares about getClientBoundingRect() . In fact the PoC by the link above uses that too and probably the protection may help to deal with it. Higher in this thread you may see some ideas for countermeasures, like font fine-tuning for environment. The idea was also reported to bugzilla.mozilla.org, don't know if they gonna implement it, but some staff have subscribed to it. >Render the text (HTML, Canvas, SVG, ...) only when the webpage provides the necessary fonts. I.e. don't render any text, when a webpage provides no fonts. E.g. we can use "14 PDF fonts" (fonts, that must be present in every PDF renderer). This will likely not work (the last time I tested, it haven't: differrent PCs (both Windows 7, 32 bit) with the same version of Tor Browser had differrent fingerprints) for the case of Canvas. In fact Tor Browser (and Firefox, if I remember right) bundles fonts. About the standard on browser indistinguishability: there is still no such, even though it was proposed long ago. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/permissions/issues/165#issuecomment-400197792
Received on Tuesday, 26 June 2018 06:46:53 UTC