Pale Moon forum

So, I've been trying to reduce the information that can be detected as part of my browsing fingerprint, and it seems that one of the nastier tracking techniques used is font fingerprinting. Tor implemented an about:config setting called "font.system.whitelist" to counter this. https://trac.torproject.org/projects/tor/ticket/18097 Any chance that this could be implemented in Pale Moon? The only other post about this feature that I could find was in Russian and didn't make much sense to me in Google Translate.

This feature is already present.
The preference for it (font.system.whitelist) is not present by default and will have to be created with New -> String. Please be careful using this preference since it will impact all content page rendering that is using system fonts (including internal pages like about: pages) that are assumed to be present on various operating systems, so make sure your list of whitelisted fonts is complete and includes all default OS fonts, or you will notice an impact on page rendering.

Important note: our list of reported fonts is already restricted and won't show all installed fonts in panopticlick as a result (unless the Flash method is used which bypasses all this; recommended to set Flash to "ask to activate" to prevent this).

An example of a decent list for this whitelist is: but YMMV anyway, since a custom list like this might actually make you unique.

So what restrictions are in place by default?

ChelonianEgghead wrote:So what restrictions are in place by default?

Well, for starters the fact that there is no content-exposed JS API that can enumerate all installed fonts (only chrome code has access to that). Any website wanting to detect installed system fonts will have to probe for specific families itself, which makes fingerprinting on fonts a lot less feasible. If you think I meant that there is a whitelist by default present then I'm afraid I wasn't entirely clear; there is no such default list, since that would directly influence fonts available to websites and the UI.

Does setting browser.display.use_document_fonts to 0 make me more identifiable then, because I'm refusing to show my non-default fonts at all, which is abnormal?

ChelonianEgghead wrote:Does setting browser.display.use_document_fonts to 0 make me more identifiable then, because I'm refusing to show my non-default fonts at all, which is abnormal?

I'm not sure if that setting even has an impact at all on the fingerprinting question. What it DOES do however is prevent any and all font application, including downloadables. As a result many web layouts will look wrong or may even break.