- From: Tab Atkins Jr. <jackalmage@gmail.com>
- Date: Wed, 5 Aug 2015 11:59:20 -0700
- To: Nick Doty <npdoty@w3.org>
- Cc: www-style list <www-style@w3.org>
On Wed, Jul 29, 2015 at 5:07 PM, Nick Doty <npdoty@w3.org> wrote: > It might be worth having a slightly longer privacy discussion about this and similar features, but a quick question for now. > > Is "system" intended to select the default font-family used by that version of the operating system, or a potentially user-selected font to match the font currently used on that machine for menus and OS-provided controls? The "menu" value as defined in CSS3 Fonts is a little vague on that point. It appears that it's for the default font-family used by that version of the OS. What this means for some minority OSes isn't quite clear, but we discussed it a bit today in the telcon and we'll get some text for it. > To the extent that "system", "menu" or "-headline1"-type properties reflect user-selected preferences, this could expose increased browser fingerprinting surface or reveal something about the user's vision (e.g. this user has increased their font size and may have reduced vision). This is just a font-family, not a system font that takes over all of the font-* properties, so it doesn't expose anything about size or the like. The fingerprinting surface here seems nil; to the extent that it reflects what OS you have, that's already exposed by the UA string. Installed-fonts detection in general is fairly trivial and already offers a *ton* of entropy for fingerprinting. (You just have to have a large list of fonts to test for, which is easy to assemble; the actual tests can be done off-screen and in practically no time.) Exposing the system font doesn't offer much, if any, beyond this. ~TJ
Received on Wednesday, 5 August 2015 19:00:10 UTC