2

Even after disabling Java Script Fonts are indirectly readable. Is there any patch for this issue?

This is a warning I get from a test site.

Your installed fonts are indirectly readable by this website. A website may force loading web fonts, if the respective font is not installed on your local computer. If the site forbids font caching, the font will be reloaded on any access.

The page may try to load hundreds of different font names using the "@font-face" attribute. If the respective font is installed on your system, the website notices that it is not loaded from the server."

Community
  • 1
Roya
  • 3,240
  • 3
  • 19
  • 40

2 Answers2

2

This has nothing to do with JavaScript, this font loading is done by CSS (the stylesheets). Technically it is no different than loading of images, except that fonts you already have on your system may not be loaded, allowing for some guessing what OS you run.

There is already a patch in Tor Browser that mitigates some of the worst risks with this way to load fonts, while still not disabling the font loading completely (as that would render some sites useless). The test site you visit maybe does not know about this patch, and falsely believes you are open to a serious fingerprinting issue because font loading is still allowed.

The patch in question (which prefer webfonts to prevent loading of system fonts when fingerprintable, and limit total number of system fonts, I believe):

https://gitweb.torproject.org/tor-browser.git/commit/217c0d2cdb8d884dc5c3fd638189dd7dd80ff8d5

Rhin
  • 806
  • 5
  • 10
0

There is the ticket #9451 in Tor's trac. It describes what to change to disable this feature. Go to the Preferences page of Firefox (see also this BBC page on how to change the fonts in Firefox), select Contents and in the Fonts section click on Advanced. Now a subwindow open and you'll find a checkbox with the text "Allow pages to choose their own fonts, instead of my selections above". Uncheck it and you're done. When you reload http://ip-check.info/ the message should now disappear.

Jens Kubieziel
  • 8,630
  • 5
  • 35
  • 116