[tor-bugs] #18364 [Applications/Tor Browser]: Tor Browser in Gnu+Linux doesn't support Dingbats properly
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jun 4 01:09:32 UTC 2018
#18364: Tor Browser in Gnu+Linux doesn't support Dingbats properly
--------------------------------------+--------------------------
Reporter: erchewin | Owner: tbb-team
Type: defect | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-fingerprinting-fonts | Actual Points:
Parent ID: #18097 | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by vegansalad):
Dingbats / Wingdigs / Unicode / Emojis
Whatever you'd like to call them, many of them are broken in Tor Browser
and have been for a very long time. I understand that font fingerprinting
needs to be addressed in a robust way because it protects against font
enumeration attacks. However, there doesn't seem to be much work being
done to fix the bugs that this security mitigation technique has
introduced.
This seems to affect Linux users of TBB the most, but joel2017 says that
it is still causing problems for windows users.
https://trac.torproject.org/projects/tor/ticket/18172#comment:34
As was stated over two years ago, this issue seems to cause issues **on
the tor project trac itself**! Right now as I'm on this page, the "reply
to comment" icon to the right of every comment is blank due to this bug
(that is, if I'm understanding the bug correctly).
https://trac.torproject.org/projects/tor/ticket/18860
A proposal has been made to improve the list of TBB font whitelist /
bundled fonts by soliciting user feedback. I agree that it would be a
useful project to go through each of the fonts on each platform and see if
there are better fonts that could be used instead.
https://trac.torproject.org/projects/tor/ticket/20842 I've posted some
comments over there as well about how we could potentially move this
proposal into a reality.
In the mean time, assuming such a large project would take up a lot of
time and resources, my quick suggestion to hopefully fix this specific
ticket is to add fonts-noto-color-emoji to the list of Google Noto fonts
shipped with the GNU+Linux version of TBB. This is an official Debian
package now: https://packages.debian.org/buster/fonts-noto-color-emoji and
the binary is available https://github.com/googlei18n/noto-emoji/releases
If it would be preferable to get this in stretch-backports as well, please
let me know and I'll do my best to pursue this.
Also, it seems as though Debian is just using the binary from the noto-
emoji Github Releases page instead of building it from source:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848198#64
It'd be preferable, I assume, to build the font from source.
Apparently nototools and fonttools are needed to build this font from
source. https://github.com/googlei18n/noto-emoji/#building-notocoloremoji
It should be noted that fonttools, which is required to build the font
from source, has been switched over to the MIT license roughly six months
ago, so this font should now be able to be built from source with all free
software build tools:
https://github.com/fonttools/fonttools/commit/b990a019dd7d95bbea9e0e823848827933691790
Nototools also seems to have a free license
https://github.com/googlei18n/nototools/blob/master/LICENSE
Are there any blockers to adding fonts-noto-color-emoji to the list of
fonts in #ifdef XP_LINUX that I'm not aware of?
https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000
-tor-browser.js?h=tor-browser-52.8.0esr-7.5-1#n389
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18364#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list