Re: [tor-bugs] #18364 [Applications/Tor Browser]: Tor Browser in Gnu+Linux doesn't support Dingbats properly

[Tor Bug Tracker & Wiki]

#18364: Tor Browser in Gnu+Linux doesn't support Dingbats properly
--+--
 Reporter:  erchewin  |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  High  |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-fingerprinting-fonts  |  Actual Points:
Parent ID:  #18172| Points:
 Reviewer:|Sponsor:
--+--

Comment (by vegansalad):

 I'd still really love it if someone could write a patch to add fonts-noto-
 color-emoji to Tor Browser.

 As was stated over three years ago, this issue seems to cause issues on
 this tor project trac itself! Right now as I'm on this page, if you are
 using the Linux version of Tor Browser, the "reply to comment" icon to the
 right of every comment is blank due to this bug (that is, if I'm
 understanding the bug correctly).
 https://trac.torproject.org/projects/tor/ticket/18860

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18364 [Applications/Tor Browser]: Tor Browser in Gnu+Linux doesn't support Dingbats properly

[Tor Bug Tracker & Wiki]

#18364: Tor Browser in Gnu+Linux doesn't support Dingbats properly
--+--
 Reporter:  erchewin  |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  High  |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-fingerprinting-fonts  |  Actual Points:
Parent ID:  #18172| Points:
 Reviewer:|Sponsor:
--+--
Changes (by gk):

 * parent:  #18097 => #18172


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18364 [Applications/Tor Browser]: Tor Browser in Gnu+Linux doesn't support Dingbats properly

[Tor Bug Tracker & Wiki]

#18364: Tor Browser in Gnu+Linux doesn't support Dingbats properly
--+--
 Reporter:  erchewin  |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  High  |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-fingerprinting-fonts  |  Actual Points:
Parent ID:  #18097| Points:
 Reviewer:|Sponsor:
--+--

Comment (by gk):

 Thanks for this helpful comment. The idea of building the fonts from
 source is pretty interesting. Right now we are shipping the fonts as they
 come from Google. I opened #26302 for investigating the source code
 approach.

 There is no need to have anything in Debian in order to make progress, but
 thanks for the offer trying to move things forward in case it were needed.

 And, no, I don't see any blockers other than someone sitting down, writing
 the patch, building the bundle and testing it. Am I seeing this right,
 that this font alone is 7MB in size? That's quite a lot...

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18364 [Applications/Tor Browser]: Tor Browser in Gnu+Linux doesn't support Dingbats properly

[Tor Bug Tracker & Wiki]

#18364: Tor Browser in Gnu+Linux doesn't support Dingbats properly
--+--
 Reporter:  erchewin  |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  High  |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-fingerprinting-fonts  |  Actual Points:
Parent ID:  #18097| Points:
 Reviewer:|Sponsor:
--+--

Comment (by vegansalad):

 Dingbats / Wingdigs / Unicode / Emojis

 Whatever you'd like to call them, many of them are broken in Tor Browser
 and have been for a very long time. I understand that font fingerprinting
 needs to be addressed in a robust way because it protects against font
 enumeration attacks. However, there doesn't seem to be much work being
 done to fix the bugs that this security mitigation technique has
 introduced.

 This seems to affect Linux users of TBB the most, but joel2017 says that
 it is still causing problems for windows users.
 https://trac.torproject.org/projects/tor/ticket/18172#comment:34

 As was stated over two years ago, this issue seems to cause issues **on
 the tor project trac itself**! Right now as I'm on this page, the "reply
 to comment" icon to the right of every comment is blank due to this bug
 (that is, if I'm understanding the bug correctly).
 https://trac.torproject.org/projects/tor/ticket/18860

 A proposal has been made to improve the list of TBB font whitelist /
 bundled fonts by soliciting user feedback. I agree that it would be a
 useful project to go through each of the fonts on each platform and see if
 there are better fonts that could be used instead.
 https://trac.torproject.org/projects/tor/ticket/20842 I've posted some
 comments over there as well about how we could potentially move this
 proposal into a reality.

 In the mean time, assuming such a large project would take up a lot of
 time and resources, my quick suggestion to hopefully fix this specific
 ticket is to add fonts-noto-color-emoji to the list of Google Noto fonts
 shipped with the GNU+Linux version of TBB. This is an official Debian
 package now: https://packages.debian.org/buster/fonts-noto-color-emoji and
 the binary is available https://github.com/googlei18n/noto-emoji/releases
 If it would be preferable to get this in stretch-backports as well, please
 let me know and I'll do my best to pursue this.

 Also, it seems as though Debian is just using the binary from the noto-
 emoji Github Releases page instead of building it from source:
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848198#64

 It'd be preferable, I assume, to build the font from source.

 Apparently nototools and fonttools are needed to build this font from
 source. https://github.com/googlei18n/noto-emoji/#building-notocoloremoji

 It should be noted that fonttools, which is required to build the font
 from source, has been switched over to the MIT license roughly six months
 ago, so this font should now be able to be built from source with all free
 software build tools:
 
https://github.com/fonttools/fonttools/commit/b990a019dd7d95bbea9e0e823848827933691790

 Nototools also seems to have a free license
 https://github.com/googlei18n/nototools/blob/master/LICENSE

 Are there any blockers to adding fonts-noto-color-emoji to the list of
 fonts in #ifdef XP_LINUX that I'm not aware of?
 https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000
 -tor-browser.js?h=tor-browser-52.8.0esr-7.5-1#n389

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18364 [Applications/Tor Browser]: Tor Browser in Gnu+Linux doesn't support Dingbats properly

[Tor Bug Tracker & Wiki]

#18364: Tor Browser in Gnu+Linux doesn't support Dingbats properly
--+--
 Reporter:  erchewin  |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  High  |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-fingerprinting-fonts  |  Actual Points:
Parent ID:  #18097| Points:
 Reviewer:|Sponsor:
--+--

Comment (by gk):

 Replying to [comment:10 vegansalad]:
 > Replying to [comment:9 yawning]:
 > > Replying to [comment:7 vegansalad]:
 > > > Does a new font need to be packaged for Linux TBB that renders
 Dingbats / Glyphs / Older Unicode?
 > >
 > > Well.  None of the bundled fonts include the Dingbats Unicode code
 block.
 > >
 > > Bundling `NotoSansSymbols-Regular.ttf` (832 KiB) along with some font-
 config trickery would be an improvement, though I am uncertain as to how
 real browser developers want to handle the download/bundle space vs
 coverage tradeoff.
 >
 > The coverage is vast, including this very Trac. The download/bundle
 space addition is small. I'm sorry, but why the frack is this issue not
 being given the time of day? Please let me know how I can move things
 forward in a healthy way.

 Witing a patch, testing it and, if all works well, attaching it to this
 ticket + setting the status of it to `needs_review` would be such a way.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18364 [Applications/Tor Browser]: Tor Browser in Gnu+Linux doesn't support Dingbats properly

[Tor Bug Tracker & Wiki]

#18364: Tor Browser in Gnu+Linux doesn't support Dingbats properly
--+--
 Reporter:  erchewin  |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  High  |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-fingerprinting-fonts  |  Actual Points:
Parent ID:  #18097| Points:
 Reviewer:|Sponsor:
--+--

Comment (by vegansalad):

 Replying to [comment:9 yawning]:
 > Replying to [comment:7 vegansalad]:
 > > Does a new font need to be packaged for Linux TBB that renders
 Dingbats / Glyphs / Older Unicode?
 >
 > Well.  None of the bundled fonts include the Dingbats Unicode code
 block.
 >
 > Bundling `NotoSansSymbols-Regular.ttf` (832 KiB) along with some font-
 config trickery would be an improvement, though I am uncertain as to how
 real browser developers want to handle the download/bundle space vs
 coverage tradeoff.

 The coverage is vast, including this very Trac. The download/bundle space
 addition is small. I'm sorry, but why the frack is this issue not being
 given the time of day? Please let me know how I can move things forward in
 a healthy way.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18364 [Applications/Tor Browser]: Tor Browser in Gnu+Linux doesn't support Dingbats properly

[Tor Bug Tracker & Wiki]

#18364: Tor Browser in Gnu+Linux doesn't support Dingbats properly
--+--
 Reporter:  erchewin  |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  High  |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-fingerprinting-fonts  |  Actual Points:
Parent ID:  #18097| Points:
 Reviewer:|Sponsor:
--+--

Comment (by yawning):

 Replying to [comment:7 vegansalad]:
 > Does a new font need to be packaged for Linux TBB that renders Dingbats
 / Glyphs / Older Unicode?

 Well.  None of the bundled fonts include the Dingbats Unicode code block.

 Bundling `NotoSansSymbols-Regular.ttf` (832 KiB) along with some font-
 config trickery would be an improvement, though I am uncertain as to how
 real browser developers want to handle the download/bundle space vs
 coverage tradeoff.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18364 [Applications/Tor Browser]: Tor Browser in Gnu+Linux doesn't support Dingbats properly

[Tor Bug Tracker & Wiki]

#18364: Tor Browser in Gnu+Linux doesn't support Dingbats properly
--+--
 Reporter:  erchewin  |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  High  |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-fingerprinting-fonts  |  Actual Points:
Parent ID:  #18097| Points:
 Reviewer:|Sponsor:
--+--

Comment (by vegansalad):

 Can someone please respond to this ticket? Trac.torproject.org is broken.
 uBlock is broken. MANY SITES on the internet are broken. We really should
 talk about this.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18364 [Applications/Tor Browser]: Tor Browser in Gnu+Linux doesn't support Dingbats properly

[Tor Bug Tracker & Wiki]

#18364: Tor Browser in Gnu+Linux doesn't support Dingbats properly
--+--
 Reporter:  erchewin  |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  High  |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-fingerprinting-fonts  |  Actual Points:
Parent ID:  #18097| Points:
 Reviewer:|Sponsor:
--+--

Comment (by vegansalad):

 I'm curious which way the TBB community is looking to go from here.

 Does a new font need to be packaged for Linux TBB that renders Dingbats /
 Glyphs / Older Unicode?

 Does it already have a font that renders them properly, but there isn't
 proper font fallbacks in place?

 Are the web and app developers, including uBlock and Trac (see child
 tickets) at fault for including these things in their code? Is it a
 security vulnerability to render old unicode images?

 If the third one is true, we should develop a document that explains the
 secure way to use them or ways to replace them with something else.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18364 [Applications/Tor Browser]: Tor Browser in Gnu+Linux doesn't support Dingbats properly (was: Tor Browser doesn't support some HTML Entities)

[Tor Bug Tracker & Wiki]

#18364: Tor Browser in Gnu+Linux doesn't support Dingbats properly
--+--
 Reporter:  erchewin  |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  High  |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:  tbb-fingerprinting-fonts  |  Actual Points:
Parent ID:  #18097| Points:
 Reviewer:|Sponsor:
--+--

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs