[tbb-bugs] #22787 [Applications/Tor Browser]: Fontconfig warning: remove 'blank' configuration

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Jul 10 21:14:16 UTC 2017

#22787: Fontconfig warning: remove 'blank' configuration
 Reporter:  cypherpunks               |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Minor                     |     Resolution:
 Keywords:  tbb-fingerprinting        |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
Changes (by dcf):

 * keywords:   => tbb-fingerprinting


 Here is the upstream commit (2015-06-17):

 But before that (2015-02-17), they had removed `<blank></blank>` from the
 default fonts.conf and made the blanks be hardcoded in the library:

 I am sure that when I set up fonts.conf for Tor Browser initially, I
 cargo-culted most of the config from somewhere, including the `<blank>`
 section. I don't really know what it does.

 According to fonts.dtd], the `<blank>` section is optional, so I would
 guess that we can remove it without causing crashes on old versions of

 But we may have to deal with this as a new fingerprinting vector (whether
 we remove the `<blank>` or not). If we are using the system fontconfig,
 and the system fontconfig has a built-in set of blanks that varies across
 systems (it looks like they update it with new Unicode versions), and it's
 possible for a web page to detect the difference, then it could be used
 for fingerprinting.

 The set of built-in blanks isn't even under version control, because they
 have a makefile that fetches [http://unicode.org/cldr/utility/list-
 unicodeset.jsp?a=%5B%3AGC%3DZs%3A%5D%5B%3ADI%3A%5D&ucd=on&esc=on&g=&i= a
 list] from unicode.org at build time :( So it's likely to be whatever
 randomly happened to be there when someone built a release.

 To test, we could repurpose the fontfp code and replace the list of code
 points with the unicode.org list.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22787#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list