[tor-bugs] #20842 [Applications/Tor Browser]: Proposal: Improve Tor Browser font whitelist / bundled fonts

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Mar 19 22:46:31 UTC 2019


#20842: Proposal: Improve Tor Browser font whitelist / bundled fonts
--------------------------------------+--------------------------
 Reporter:  arthuredelstein           |          Owner:  tbb-team
     Type:  defect                    |         Status:  assigned
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-usability, ux-team    |  Actual Points:
Parent ID:  #18097                    |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by tom):

 I don't think it's being punted for risk. I think it's being punted for a
 few reasons:

 1. It's not whitelisting them, it's bundling them. We have to figure out
 which platforms need them, which have them (and since when) and bundle
 them on the ones that don't have them.
 2. We have the evaluate the file size bump in our packages from doing so.
 3. We probably don't want to just quick add fonts for whoever asks the
 most (no offense) but rather in some more impartial fashion that also
 captures other requests and the original intent of this bug, which was to
 replace fonts with ones that were better.

 I'm not completely sold on #3 as a blocker though.



 Aside from all that. We learned via a Canvas Fingerprinting exploration,
 that the same font from different versions of the same OS renders
 differently. This would be an argument to whitelist zero system fonts and
 only use ones we bundle across all OSes.

 (However we're not sure if the OS itself also renders the same font file
 differently AFAIK....)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20842#comment:22>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list