-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Embed System Fonts on Android #981
base: master
Are you sure you want to change the base?
Conversation
for those who want to help me with the test, this is the one to do:
via browserstack I have already noticed differences that should not be there: |
incredible, then, by flattening out the differences in fonts between different devices, the differences in dpi between different devices emerge... |
therefore, increasingly complex. Now, the idea is to proceed in this way:
certainly that way, the apparent 'size' of the screen will change for some users. i don't know if it will bother users. @PF4Public sorry to bother you, I would need to discuss this idea with someone. |
Did you investigate how those font fingerprinting tests actually work (I didn't :) )? Do they merely measure the glyph rectangle? In that case it is sad that dpi does make difference. Fixing dpi might do more damage than good. It is the same as with viewport protection: fixing a dpi could blur even more text if actual dpi differs. Maybe randomising those rects instead could help?
No problem, feel free to ping me if you want to. |
theoretically they work, theoretically you can understand the commit of your device.
and that is absolutely correct and sufficient. the dimensions are specific and related to the font file, although 'dirty' by the dpi factor of the screen, which introduces very small differences (of the order of 0.001) but extremely important as information. I don't think anyone has ever got there, I don't think anyone has ever compared the result of different devices but with the absolutely same set of fonts.
I don't think so personally, but I think an attempt should be made.
I would like to set the dpi by resolution, considering only the width, but this would change the 'apparent' screen size ('apparent' for the user)
It is currently already so in cromite, I wanted to try to improve it. |
Could this visually break websites, which build UI via JavaScript and rely on those measurements? |
no, html is by nature 'responsive', if a site does not adapt it is a limitation of the website, which in any case can force the display with the appropriate meta tags. |
it is only the user who may be annoyed by the difference between how it appears in cromite and how it appears in other browsers |
Could this be used to identify Cromite users and behave differently (as ads do when something blocks them)? |
unfortunately, cromite is already recognisable from so much else: so much so that I am considering whether to modify the useragent by declaring it. |
Could you forcefully round values so that this information wouldn't leave the device? |
I had also thought of that solution, but there is no precise point in the code (without agreeing with the chromium developers) on which to intervene. I should start to figure out how to request a change to the w3c standards, but who has the time! on the contrary, I think that acting on the dpi (if it works) would be the ultimate solution that would not force me to chase the developers' changes. but I do not know in advance the effects on the devices of the users who will then suffer the change (despite themselves), which is the thing that worries me. |
It is exactly what I think. Perhaps the only way to know is to try yourself and invite others to testing :) |
note (for me): there are performance problems to be fixed. starting a new render process is too slow. |
so this is the approach I would like to follow.
I think that if it works, I can remove the viewport protection patch in android and perhaps also the canvas patch. |
Would you attempt the same approach on a desktop? |
I was thinking about it. it doesn't make sense. I try to explain myself. now, what would be the difference compared to now? it is not the right path.
there is no reason to believe that desktop platforms behave differently, so the same approach is also exploitable for those platforms. the question is, does it make sense? |
update. I saw how browserstack's app-automate works, really great. i will certainly exploit it to get the fingerpriting values of all the devices in browserstack, for comparison. too bad it can only be useful for android and not for desktop platforms, but, let's get started. now i'm developing a patch to enable privileged access to some specific javascript api as test support (@jamchowder it can serve as a basis for #1020 (comment)), specifically for the cromite.org site, while fully respecting users‘ privacy. i will tell you about it as soon as a wip patch is ready, so you can tell me if my idea might offend users’ sensitivities. |
What do you mean specifically? |
certainly, I try to explain myself. browserstack provides the ability to remotely control their physical devices via various frameworks. My choice is to use Appium, if only because it is the one used by privacytests.org, which has been using it for years, and so I think it is a tried and tested platform, and would allow me to possibly propose something to them in the future. Appium basically allows, via the UIAutomator2 driver, to automate the ui, replacing the user: for example, I can open internet pages and, I think, access the settings to modify them. there is also a specific driver for chromium (https://w3c.github.io/webdriver) which probably allows something else, but I still have to check the differences. For what Appium does not allow me to do, I need to evaluate alternatives. The premise is that the browserstack environment does not allow me to access the chromium profile folder, as the devices are not rooted. But I need to enable and disable flags, change content settings, clear caches and maybe more. It is a question of what I can do. So the idea is this:
For the test battery, the idea for now is to extract all creepjs fingerprints from all browserstack devices, both chrome and cromite, and compare them to see how to move forward. |
ahh, I finally managed to use browserstack remotely! it was hard, endless problems, poor documentation, but thank goodness that all the tools are opensource and so there are source codes. |
So do I understand that correctly: now you can start a device on browserstack and analyze the fingerprint it gets via automation? Are those devices a real ones or a VM? You could create our own VM for this analysis perhaps. I just noticed that even on desktop with fonts fingerprint mitigation the browser only uses system fonts, even when webfonts are downloaded. Is it how it is supposed to be? |
yes, that is exactly what I am doing in #1271. i already have the first 3 runs of chromium, that's a lot of information that i don't know how to handle at the moment. when the 3 runs of cromite (android) also finish i will publish the data, so you can help me find a tool to read it, for now i'm using PowerBI but it's not the right tool. |
I'd be happy to help! You didn't answer my second question :( |
Hmm, indeed it works for me too. Sorry for bothering you with this. :( |
I noticed that the blink process in the sandbox has read access to the .so folder. |
Description
the idea is to exploit skia's logic concerning fonts for use in android.
skia must be advised of what fonts are available and the order of fallback to be attempted if a character is not available in the selected font.
Since including the entire set of fonts would increase the size of the apk and the resources required, the automatic downloading of chromium components, reactivated via the specific patch, is being exploited.
once the fonts and the xml describing their use are available, the patch only makes the custom fonts available in skia.
currently only active in android, it remains to be seen whether the same logic can also be used in desktop platforms.
All submissions
Format
Subject: Alternative cache (NIK-based)
->Alternative-cache-NIK-based.patch
)