mirror of
https://git.sr.ht/~seirdy/seirdy.one
synced 2024-11-23 21:02:09 +00:00
More info about fingerprinting via fonts
This commit is contained in:
parent
f1a56e9ec4
commit
8f47970379
2 changed files with 18 additions and 4 deletions
|
@ -42,7 +42,11 @@ It's not a good idea to expect users to automatically override website styleshee
|
|||
|
||||
### But wouldn't that allow a website to fingerprint with fonts?
|
||||
|
||||
I don't know much about fingerprinting, except that you can't do font enumeration without JavaScript. Since text-based websites that follow these best-practices don't send requests after the page loads and have no scripts, fingerprinting via font enumeration is a non-issue.
|
||||
I don't know much about fingerprinting, except that you can't do font enumeration without JavaScript. Since text-based websites that follow these best-practices don't send requests after the page loads and have no scripts, fingerprinting via font enumeration is a non-issue on those sites.
|
||||
|
||||
Other websites can still fingerprint via font enumeration using JavaScript. They don't need to stop at seeing what sans-serif maps to; they can see all the available fonts on a user's system, the user's canvas fingerprint, window dimensions, etc. Some of these can be mitigated with Firefox's "privacy.resistFingerprinting" setting, but that setting also understandably overrides user font preferences.
|
||||
|
||||
Ultimately, surveillance self-defense on the web is an arms race full of trade-offs. If you want both privacy and customizability, the web is not the place to look; try Gemini or Gopher instead.
|
||||
|
||||
## About lazy loading
|
||||
|
||||
|
|
|
@ -78,15 +78,25 @@ asserting a personal preference.
|
|||
|
||||
It's not a good idea to expect users to automatically override website stylesheets.
|
||||
Doing so would break websites that use fonts such as Font Awesome to display vector
|
||||
icons. We shouldn't expect these users to constantly battle with websites the same way
|
||||
that many adblocking/script-blocking users (myself included) already do.
|
||||
icons. We shouldn't expect these users to constantly battle with websites the same
|
||||
way that many adblocking/script-blocking users (myself included) already do.
|
||||
|
||||
### But wouldn't that allow a website to fingerprint with fonts?
|
||||
|
||||
I don't know much about fingerprinting, except that you can't do font enumeration
|
||||
without JavaScript. Since text-based websites that follow these best-practices don't
|
||||
send requests after the page loads and have no scripts, fingerprinting via font
|
||||
enumeration is a non-issue.
|
||||
enumeration is a non-issue on those sites.
|
||||
|
||||
Other websites can still fingerprint via font enumeration using JavaScript. They
|
||||
don't need to stop at seeing what sans-serif maps to; they can see all the available
|
||||
fonts on a user's system, the user's canvas fingerprint, window dimensions, etc. Some
|
||||
of these can be mitigated with Firefox's `privacy.resistFingerprinting` setting, but
|
||||
that setting also understandably overrides user font preferences.
|
||||
|
||||
Ultimately, surveillance self-defense on the web is an arms race full of trade-offs.
|
||||
If you want both privacy and customizability, the web is not the place to look; try
|
||||
Gemini or Gopher instead.
|
||||
|
||||
About lazy loading
|
||||
------------------
|
||||
|
|
Loading…
Reference in a new issue