(There are other reasons you might want to have a Tor browser running inside a container, but if the main goal is to nullify fingerprinting and sandbox exploits, you're better off just using an actual VM).
Based on that alone, it seems that just replying back with either a blank font list or the minimal standard font list (e.g. only Times & Arial) would solve most of this problem.
I'd love to see the Firefox team fix that first.
The only way to stop font-based side-channels is to limit the web to a fixed set of fonts: and that will horribly break the web in some linguistic communities where there's a fair amount of web content that relies on specific fonts (that typically map old Windows codespaces to other characters for support for their language, often before Unicode covered those characters).
You also need identical fonts for a given user agent, and that's very hard to guarantee short of shipping your own fonts (e.g., consider an OS update that changes a font!), and that becomes expensive fast.
So, yeah, to disable that you'd have to entirely disable the CSSOM, which would cause ridiculous amounts of breakage.
I agree that implementing this first in Tor is probably not a good idea, but if Firefox were to do it first, then I don't see the problem. "They're a Firefox user" isn't nearly as specific information.
I'd bet that Chrome would follow quickly, which would put pressure on Apple to do the same. If that happened, we'd have a minor victory.
All I'm trying to do is reduce information that is needlessly leaked out by a browser. True privacy still requires more.
There's no reason for browsers to make a large number of fonts available if websites aren't able to use them because not all browsers make them available.
However, there may be an issue with internationalisation.
They're all unprivileged; having to go to the kernel would defeat the purpose most of the time.
Also, trapping them wouldn't make a difference. Fixing the CPUID fields on the other hand (so that these code paths are not taken in the first place)...
As with everything, it depends on the user's threat model. In a court setting, it'd depend on how individual pieces of evidence stack up against a user to make them look bad, and whether there is enough reasonable doubt.
>>> import math
>>> print math.log(95) / math.log(2)
>>> print math.log(95, 2)
However good fonts are a massive undertaking and only make sense for OS vendors, at least the fonts which include many languages.
Realistically, most users use off the shelf hardware so for every machine there are millions that are specced exactly the same. That's not very useful for fingerprinting. It would be a good idea though to stop adding more discriminating features to browsers but as you imagine, that is not the direction Google wants to go to.
For every fingerprinting trick there is an obfuscation trick though. People just need to keep checking the fingerprinting scripts. A great advantage of the web is that you can in fact see the source code.
Also, we expect publishers to embrace the post-ad world. Why would it be easy to block ads so much they stop being viable, but impossible to stop fingerprinting?
IIDRN says it's up: http://www.isitdownrightnow.com/torproject.org.html
On the other hand I think it's clear what they actually mean here, so probably not worth worry about too much.
For example, for First Party Isolation, we took the "origin attributes" feature that we built to support containers (user-specified tracking limitations) and reused it for isolation. In the containers case, origins get tagged with a user-specified label; with First Party Isolation, they get tagged with the top-level origin.
And to be clear, there's no "neutering" going on here. We're adding the full features that Tor Browser has, since the whole point of this exercise is to let Tor Browser user preference changes instead of patches. That means that the full capability of the Tor Browser features are in Firefox if users want to enable them.
But it's an interesting idea! Would you mind filing a bug at bugzilla.mozilla.org?
he has a script that he can poke to download the content and email it to himself. then he reads it with emacs or maybe lynx with no networking enabled.