This is an automated email from the git hooks/post-receive script.
richard pushed a commit to branch tor-browser-102.5.0esr-12.0-1 in repository tor-browser.
commit 15fcc0f014dc38f82b6de0183df8b9edba4cf3e9 Author: Pier Angelo Vendrame pierov@torproject.org AuthorDate: Mon Sep 19 12:57:40 2022 +0200
Bug 41116: Normalize system fonts.
System fonts are an enormous fingerprinting vector. Even with font allow lists and with our custom configuration on Linux, which counter metrics measurements, getComputedStyle leaks several details. This patch counters both these kinds of attacks. --- gfx/thebes/gfxPlatformFontList.cpp | 3 ++- layout/base/nsLayoutUtils.cpp | 5 ++++- widget/LookAndFeel.h | 4 +++- widget/gtk/nsNativeThemeGTK.cpp | 8 ++++++-- widget/nsXPLookAndFeel.cpp | 18 +++++++++++++++--- widget/nsXPLookAndFeel.h | 3 ++- 6 files changed, 32 insertions(+), 9 deletions(-)
diff --git a/gfx/thebes/gfxPlatformFontList.cpp b/gfx/thebes/gfxPlatformFontList.cpp index 37a095868031..1e03ca76b0fa 100644 --- a/gfx/thebes/gfxPlatformFontList.cpp +++ b/gfx/thebes/gfxPlatformFontList.cpp @@ -1901,7 +1901,8 @@ static void GetSystemUIFontFamilies([[maybe_unused]] nsAtom* aLangGroup, nsFont systemFont; gfxFontStyle fontStyle; nsAutoString systemFontName; - if (!LookAndFeel::GetFont(StyleSystemFont::Menu, systemFontName, fontStyle)) { + if (!LookAndFeel::GetFont(StyleSystemFont::Menu, systemFontName, fontStyle, + nsContentUtils::ShouldResistFingerprinting())) { return; } systemFontName.Trim(""'"); diff --git a/layout/base/nsLayoutUtils.cpp b/layout/base/nsLayoutUtils.cpp index 4cae8e948de7..f2d023b0653d 100644 --- a/layout/base/nsLayoutUtils.cpp +++ b/layout/base/nsLayoutUtils.cpp @@ -9564,7 +9564,10 @@ void nsLayoutUtils::ComputeSystemFont(nsFont* aSystemFont, const Document* aDocument) { gfxFontStyle fontStyle; nsAutoString systemFontName; - if (!LookAndFeel::GetFont(aFontID, systemFontName, fontStyle)) { + const bool rfp = aDocument + ? nsContentUtils::ShouldResistFingerprinting(aDocument) + : nsContentUtils::ShouldResistFingerprinting(); + if (!LookAndFeel::GetFont(aFontID, systemFontName, fontStyle, rfp)) { return; } systemFontName.Trim(""'"); diff --git a/widget/LookAndFeel.h b/widget/LookAndFeel.h index 9fe38d632919..c62948673ad1 100644 --- a/widget/LookAndFeel.h +++ b/widget/LookAndFeel.h @@ -486,8 +486,10 @@ class LookAndFeel { * @param aID Which system-theme font is wanted. * @param aName The name of the font to use. * @param aStyle Styling to apply to the font. + * @param aRFP Whether RFP is enabled in the caller's context */ - static bool GetFont(FontID aID, nsString& aName, gfxFontStyle& aStyle); + static bool GetFont(FontID aID, nsString& aName, gfxFontStyle& aStyle, + bool aRFP);
/** * GetPasswordCharacter() returns a unicode character which should be used diff --git a/widget/gtk/nsNativeThemeGTK.cpp b/widget/gtk/nsNativeThemeGTK.cpp index 9072e95dcf05..304e7e44d25f 100644 --- a/widget/gtk/nsNativeThemeGTK.cpp +++ b/widget/gtk/nsNativeThemeGTK.cpp @@ -1369,11 +1369,15 @@ nsNativeThemeGTK::GetMinimumWidgetSize(nsPresContext* aPresContext, // smaller than the default one. This prevents <input type=text // style="font-size: .5em"> from keeping a ridiculously large size, for // example. - const gfxFloat fieldFontSizeInCSSPixels = [] { + const gfxFloat fieldFontSizeInCSSPixels = [aPresContext] { + const bool rfp = (aPresContext && aPresContext->Document()) + ? nsContentUtils::ShouldResistFingerprinting( + aPresContext->Document()) + : nsContentUtils::ShouldResistFingerprinting(); gfxFontStyle fieldFontStyle; nsAutoString unusedFontName; DebugOnly<bool> result = LookAndFeel::GetFont( - LookAndFeel::FontID::MozField, unusedFontName, fieldFontStyle); + LookAndFeel::FontID::MozField, unusedFontName, fieldFontStyle, rfp); MOZ_ASSERT(result, "GTK look and feel supports the field font"); // NOTE: GetFont returns font sizes in CSS pixels, and we want just // that. diff --git a/widget/nsXPLookAndFeel.cpp b/widget/nsXPLookAndFeel.cpp index 3cc2c561dbc5..51901844ba62 100644 --- a/widget/nsXPLookAndFeel.cpp +++ b/widget/nsXPLookAndFeel.cpp @@ -999,7 +999,18 @@ widget::LookAndFeelFont nsXPLookAndFeel::StyleToLookAndFeelFont( }
bool nsXPLookAndFeel::GetFontValue(FontID aID, nsString& aName, - gfxFontStyle& aStyle) { + gfxFontStyle& aStyle, bool aRFP) { + if (aRFP) { +#ifdef XP_MACOSX + aName = u"-apple-system"_ns; +#else + aName = u"sans-serif"_ns; +#endif + aStyle = gfxFontStyle(); + aStyle.size = 12; + return true; + } + if (const LookAndFeelFont* cached = sFontCache.Get(aID)) { return LookAndFeelFontToStyle(*cached, aName, aStyle); } @@ -1350,8 +1361,9 @@ nsresult LookAndFeel::GetFloat(FloatID aID, float* aResult) { }
// static -bool LookAndFeel::GetFont(FontID aID, nsString& aName, gfxFontStyle& aStyle) { - return nsLookAndFeel::GetInstance()->GetFontValue(aID, aName, aStyle); +bool LookAndFeel::GetFont(FontID aID, nsString& aName, gfxFontStyle& aStyle, + bool aRFP) { + return nsLookAndFeel::GetInstance()->GetFontValue(aID, aName, aStyle, aRFP); }
// static diff --git a/widget/nsXPLookAndFeel.h b/widget/nsXPLookAndFeel.h index 3218c9c7bd02..35421e0e4fb4 100644 --- a/widget/nsXPLookAndFeel.h +++ b/widget/nsXPLookAndFeel.h @@ -40,7 +40,8 @@ class nsXPLookAndFeel : public mozilla::LookAndFeel { nsresult GetFloatValue(FloatID aID, float& aResult); // Same, but returns false if there is no platform-specific value. // (There are no override prefs for font values.) - bool GetFontValue(FontID aID, nsString& aName, gfxFontStyle& aStyle); + bool GetFontValue(FontID aID, nsString& aName, gfxFontStyle& aStyle, + bool aRFP);
virtual nsresult NativeGetInt(IntID aID, int32_t& aResult) = 0; virtual nsresult NativeGetFloat(FloatID aID, float& aResult) = 0;