RFP and custom font settings

[GlassGruber]

Hey guys,
looking at TZP I saw in the font section that the script was able to read my custom font size settings of 18. I've also selected Georgia, Tahoma and Consolas as default fonts and AFAICT TZP is not showing this (but maybe is totally possible to fingerprint these settings).

What are my options in this scenario to reduce my entropy? Should I really bother for these factors?

In my case I'd really like to keep the increased font size to have a comfortable web reading (web pages can be really hard to read sometimes!).
I do already use the "Reader view" built in feature, quite often, but some pages are just a mess of bad structured code and the Reader can't do much about it...

I'm using FF88.0.1 on Windows with latest vanilla user.js (https://github.com/arkenfox/user.js/commit/74f804a0567181049b7653475ba3653ee5c1643b), only changed the font settings in options page.

Thank you for any help and for the incredibly interesting amount of information gathered in this project!

[Thorin-Oakenpants]

I've also selected Georgia, Tahoma and Consolas as default fonts

A lot of tests use default font, and affects results. TZP doesn't need to explicitly state the font names. There is a correlation/equivalency: for example (made up)

• all windows "times new roman" (default) users (at 100% zoom) might get a mathml height difference of 13px
• you using "georgia" (not default) at 100% zoom might get a height difference of 16px
• so for most users, there is no extra entropy and it is equivalency (or sorts), but for those who change fonts, it might add entropy
• note that the mathml test sets the font size to be the same for everyone

Your default size is already noted in TZP, and tests could take advantage of that. TZP doesn't need to (I think the only one I do this is in the domrect test), as obviously a larger font changes measurements. TZP is more interested in stability and finding out what is and isn't equivalency, and just how many buckets each metric has (e.g. RFP+windows fonts, looks like 3 buckets for win7 and three buckets for win10), so it doesn't make sense to throw extra noise in there

Same with canvas: we could split canvas into tests with and without fonts in them, to get canvas only entropy from a pureist standpoint

Unless all users (of a set,. e.g windows 10 users on TB) use the exact same fonts and font versions, then even standalone font entropy can be gained (such as updated chars in each font version) - and that will never happen except in something like Tails, because no-one is going to bundle 100's of mbs of fonts

---

I'm interested in why do you feel you need to change the default fonts on windows. 160mn FF users are happy with default. Note, there is talk of changing the monospace one to Consolas/Menlo) 1607913 . Not knocking your decision, just interested in why. Is it a sight issue, aesthetics, or something else? I see that you mention the size as being important.

Before we had RFP's font vis protection, I used to block documents fonts being set, so every page would use default fonts. I did this for four or five years, it feel great since I was used to it. Now there is no need, and for the first week it was a little strange to see different fonts (and often visual size had changed due to this as well) on different sites (not talking about downloadable web fonts), especially my regular sites. But after a week I was over it, and now I don't even notice

I have a high'ish res on a medium sized monitors (dual 2560x1440, 27") and it's fine for me (for now), but at times I do find myself leaning forward to see something. At some point I'm going to have to change scaling (without changing hardware): either at a system level, or at an app level.

The only one I have found that looks good with RFP is layout.css.devPixelsPerPx, but my devicePixelRatio is also 1 and I think that can cause weird effects. So you could use something like 1.1 to nudge everything 10% bigger. This is the entire app (menus, buttons, images, text, web content etc) - it's like system scaling but just the app. RFP still opens new windows at the correct size, e.g. my actual size would be 1100x1100, but everything is reported as 1000x1000 etc. It's not an area I have played with much

At the end of the day, if you need a different font, or need a different font size (there is a UI setting for web content text size zoom only: I don't know what pref those entail or ever played with it) then DO IT: the web needs to be usable or what's the point. It's your threat model: RFP already randomizes canvas and most scripts are naive and contain canvas: advanced scripts (and it's not exactly advanced to detect canvas randomizing) would have a field day

[Thorin-Oakenpants]

oophs, wrong button

PS: I'm interested in what you get on the audio tests. Can you flip dom.webaudio.enabled to true and load TZP

• what is your sum value
• click the [ click here ] and then show details and copy paste that for me

TIA :)

[GlassGruber]

A lot of tests use default font, and affects results. TZP doesn't need to explicitly state the font names. [...] Your default size is already noted in TZP, and tests could take advantage of that. TZP doesn't need to (I think the only one I do this is in the domrect test), as obviously a larger font changes measurements. TZP is more interested in stability and finding out what is and isn't equivalency, and just how many buckets each metric has (e.g. RFP+windows fonts, looks like 3 buckets for win7 and three buckets for win10), so it doesn't make sense to throw extra noise in there

This totally makes sense, I realize that by simply touching the fonts so many other aspects are affected, so yea font enumeration is like trying to see if spots on an apple have changed color tone without realizing that the fruit was an orange before the font change! 🍎 != 🟠

---

I'm interested in why do you feel you need to change the default fonts on windows

It's mostly a sight and reading aid as you pointed; the font choice is mostly an "aesthetic" thing and really mostly because I don't like Times New Roman 😝 . Tahoma is an experiment, but I guess I'll go back to Arial for sans. Unfortunately the font choice is quite limited by RFP but I guess this is part of the necessary bargain to efficiently "meld" in the user pool. Honestly I like more Noto as a font which I use in another more relaxed FF profile.

the web needs to be usable or what's the point. It's your threat model: RFP already randomizes canvas and most scripts are naive and contain canvas: advanced scripts (and it's not exactly advanced to detect canvas randomizing) would have a field day

That's absolutely right, lucky for me I (think!) am in no threat model at all. Privacy and tracking fighting is more of a every day sport for me, so I kinda know when it make sense to practice and when not, but when I saw that TZP detected the custom font size it was one of those moments when you realize how easy it is to slip with something so silly or naive.

The only one I have found that looks good with RFP is layout.css.devPixelsPerPx, but my devicePixelRatio is also 1 and I think that can cause weird effects. So you could use something like 1.1 to nudge everything 10% bigger. This is the entire app (menus, buttons, images, text, web content etc) - it's like system scaling but just the app. RFP still opens new windows at the correct size, e.g. my actual size would be 1100x1100, but everything is reported as 1000x1000 etc. It's not an area I have played with much

This is interesting, thank you I will play a bit with it!

---

PS: I'm interested in what you get on the audio tests. Can you flip dom.webaudio.enabled to true and load TZP

In the toggler below the full section results

Audio results:

| | | | --- | --- | | \[ i \]

  \[api\] web audio | enabled | | getChannelData ¹ | ba40f4d0c7290cd5143ac224e7f0ef363eee1e31e10e2a5bf7424ec4f1825a3b | | copyFromChannel ¹ | ba40f4d0c7290cd5143ac224e7f0ef363eee1e31e10e2a5bf7424ec4f1825a3b | | sum ¹ | 35.7383295930922 | | \-\-\-\-\-\- | | | \[ click here \] hash | hash not coded yet | | audioContext ² | 40034c4ab48115ac6dcb12f73d70a501caacd8fe9cff87e3a37010698f117e28 \[20 keys\] | | OscillatorNode ² | 7fbaffe2fb30e675a99e7c0019f873fdf3acfbcb585c3d588612dcbd3da2b7ff | | OscillatorNode/DynamicsCompressor ² | c75f5fb5369fd65b44334164fcd8e2369f75bfacd905607e2eb519f38b9a119a | | ▲ hide details | | | audioContext ² | ac-baseLatency: 0
ac-outputLatency: 0.04 \[RFP\]
ac-sampleRate: 44100 \[RFP\]
ac-state: suspended
ac-maxChannelCount: 2
ac-numberOfInputs: 1
ac-numberOfOutputs: 0
ac-channelCount: 2
ac-channelCountMode: explicit
ac-channelInterpretation: speakers
an-fftSize: 2048
an-frequencyBinCount: 1024
an-minDecibels: -100
an-maxDecibels: -30
an-smoothingTimeConstant: 0.8
an-numberOfInputs: 1
an-numberOfOutputs: 1
an-channelCount: 2
an-channelCountMode: max
an-channelInterpretation: speakers | | OscillatorNode ² | -120.82844543457031, -121.40194702148438, -120.58355712890625, -119.82896423339844, -118.77040100097656, -117.48970031738281, -115.9870834350586, -114.32347106933594, -112.45613861083984, -110.40259552001953, -108.14111328125, -105.64728546142578, -102.88674926757812, -99.81663513183594, -96.3929672241211, -92.61178588867188, -88.74397277832031, -88.1758804321289, -63.368499755859375, -38.913368225097656, -30.113183975219727, -30.702001571655273, -40.96392059326172, -69.38872528076172, -87.42302703857422, -89.23757934570312, -93.14838409423828, -96.89705657958984, -100.28680419921875, -103.33616638183594 | | OscillatorNode/DynamicsCompressor ² | -126.45063781738281, -118.34962463378906, -104.18365478515625, -102.31716918945312, -110.18650817871094, -120.05280303955078, -119.62652587890625, -105.93672943115234, -101.73857116699219, -101.30056762695312, -101.38484954833984, -111.21743774414062, -104.398681640625, -107.95577239990234, -95.34893798828125, -86.32833862304688, -97.86105346679688, -92.66810607910156, -71.52093505859375, -47.66236114501953, -38.90677261352539, -39.493404388427734, -49.695926666259766, -77.044189453125, -91.82952117919922, -94.98835754394531, -86.20660400390625, -97.25950622558594, -112.48421478271484, -103.7235107421875 |

---

A side question: I see that this project issue section has an incredible amount of valuable information, is there a "backup" or anything similar somewhere else available for posterity?
Maybe it can be stored in the Heart of the Mountain? 💎

Thank you @Thorin-Oakenpants for your thorough answer and your time! 🎩

[edit: ups! I realized that copy pasting from my editor I missed the starting section]

[Thorin-Oakenpants]

Thanks so much for the audio results

They're exactly the same (RFP on for some audioContext keys) as almost every other FF on almost every other platform I have ever tested or been given results for. This audio FPing is a scam :) I have seen one other result. That's it. I wish we could do a FF experiment on say 0.1% of users: get 220k results

[Thorin-Oakenpants]

A side question

Not sure what you mean. The doctors tell me it's all in my head, so I keep taking the meds. Otherwise TZP is open source and other sites even clone working copies: every time I do a bunch of big updates, I get 30+ clones in an hour: but I only have 10 watchers and 35 stars

here's today

[Thorin-Oakenpants]

@GlassGruber changing your default font size also affects the widget font sizes, even though it's in the main body with css font rules - see the feature detection section and click view details. widgets are special cases AFAIK

edit: it also shows up in css section: system fonts: click the count and open your console

[GlassGruber]

Not sure what you mean. The doctors tell me it's all in my head, so I keep taking the meds.

I'm no doctor but I can just write as bad and incomprehensible I guess 🤣 . My question was aimed at user.js repo to be clear, and I meant the "issues" section of the project. In the issues there is a ton of interesting documentation and information, I was wondering how to backup/export that content so that it is preserved.

This audio FPing is a scam :)

Glad to contribute! Let's hope this will be a inefficient scam for a long time x)

@GlassGruber changing your default font size also affects the widget font sizes, even though it's in the main body with css font rules - see the feature detection section and click view details. widgets are special cases AFAIK edit: it also shows up in css section: system fonts: click the count and open your console

Noted, I will do some tests and report back.

[Thorin-Oakenpants]

My question was aimed at user.js repo to be clear

Ah, OK. IDK, I think some people retain a gitmemory ... personally IDCare .. a lot of it gets outdated fast

[crssi]

@Thorin-Oakenpants Do you need more audio samples? I have RFP enabled and CB audio also... ATM.

[Thorin-Oakenpants]

@crssi sure, just make sure to disable CB audio for the test

[crssi]

Here you go:

[ re-run ]
dec86181bc79e42b9feaec4ca6726d4df87a4124 [3 metrics]
[ i ]
  [api] web audio   enabled
getChannelData 1    ba40f4d0c7290cd5143ac224e7f0ef363eee1e31e10e2a5bf7424ec4f1825a3b
copyFromChannel 1   ba40f4d0c7290cd5143ac224e7f0ef363eee1e31e10e2a5bf7424ec4f1825a3b
sum 1   35.7383295930922
------
[ click here ] hash hash not coded yet
audioContext 2  40034c4ab48115ac6dcb12f73d70a501caacd8fe9cff87e3a37010698f117e28 [20 keys]
OscillatorNode 2    7fbaffe2fb30e675a99e7c0019f873fdf3acfbcb585c3d588612dcbd3da2b7ff
OscillatorNode/DynamicsCompressor 2 c75f5fb5369fd65b44334164fcd8e2369f75bfacd905607e2eb519f38b9a119a
▲ hide details
audioContext 2             ac-baseLatency: 0
         ac-outputLatency: 0.04 [RFP]
            ac-sampleRate: 44100 [RFP]
                 ac-state: suspended
       ac-maxChannelCount: 2
        ac-numberOfInputs: 1
       ac-numberOfOutputs: 0
          ac-channelCount: 2
      ac-channelCountMode: explicit
 ac-channelInterpretation: speakers
               an-fftSize: 2048
     an-frequencyBinCount: 1024
           an-minDecibels: -100
           an-maxDecibels: -30
 an-smoothingTimeConstant: 0.8
        an-numberOfInputs: 1
       an-numberOfOutputs: 1
          an-channelCount: 2
      an-channelCountMode: max
 an-channelInterpretation: speakers
OscillatorNode 2    -120.82844543457031, -121.40194702148438, -120.58355712890625, -119.82896423339844, -118.77040100097656, -117.48970031738281, -115.9870834350586, -114.32347106933594, -112.45613861083984, -110.40259552001953, -108.14111328125, -105.64728546142578, -102.88674926757812, -99.81663513183594, -96.3929672241211, -92.61178588867188, -88.74397277832031, -88.1758804321289, -63.368499755859375, -38.913368225097656, -30.113183975219727, -30.702001571655273, -40.96392059326172, -69.38872528076172, -87.42302703857422, -89.23757934570312, -93.14838409423828, -96.89705657958984, -100.28680419921875, -103.33616638183594
OscillatorNode/DynamicsCompressor 2 -126.45063781738281, -118.34962463378906, -104.18365478515625, -102.31716918945312, -110.18650817871094, -120.05280303955078, -119.62652587890625, -105.93672943115234, -101.73857116699219, -101.30056762695312, -101.38484954833984, -111.21743774414062, -104.398681640625, -107.95577239990234, -95.34893798828125, -86.32833862304688, -97.86105346679688, -92.66810607910156, -71.52093505859375, -47.66236114501953, -38.90677261352539, -39.493404388427734, -49.695926666259766, -77.044189453125, -91.82952117919922, -94.98835754394531, -86.20660400390625, -97.25950622558594, -112.48421478271484, -103.7235107421875

Seems to be the exactly the same. RFP enabled and CB disabled.

[Thorin-Oakenpants]

Thanks .. windows (the RFP ac-outputLatency value tells me that) .. and yet another result that is super common

[GlassGruber]

Hey so unfortunately the layout.css.devPixelsPerPx config is nice but not resolutive. I've reverted to default size font of 16 and 13 for monospace, with None as minimum font size. Yes text is enlarged but many times it's not enough for me.

But here is an interesting fact (I suppose): leaving the default sizes and setting the minimum font size back to 18, TZP is reading only the default set sizes of 16 and 13.

Ofc this is still a sort of moot point because as you noted using canvas and similar tricks will report some bogus sizes anyway making my profile stick out (if I got this right).

Nowhere to run, nowhere to hide X)

[Thorin-Oakenpants]

I plan on buying a laptop very soon (and a new PC) .. and I'm aiming to make sure that the laptop at least has a devicePixelRatio !== 1, and pinch-to-zoom. Then I can get into testing the correlation between subpixel, system scaling, layout.css.devPixelsPerPx, zoom levels, dpi, visual viewport and other stuff .. not my idea of fun

[crssi]

So CB is actually not needed for audio when RFP? Which CB leaves it at WebGL, DOMRect and TextMetrics?

Cheers

[Thorin-Oakenpants]

Well, I'm almost at the stage where webaudio should be enabled: but I'm not 100% sure yet

There are two parts. The keys (number of speakers, etc all those ac- and an- items and RFP protects two of those), and the computational bits - part of the computational bits require a user gesture (but that's not hard to elicit).

I don't think the computational parts have any entropy - except by browser. There is none in chrome, someone else checked it out for me - the chromium code even has a hardcoded test for set values. Chromium also uses a different math library and function to compute rates. Firefox also ships with that same libm (albeit not identical). So there is one possible solution to webaudio IF there is an issue

IF there is entropy, the surprisal IMO is tiny - i.e fat giant head (almost everyone) and tiny short skinny tail (weird outliers) .. and/or it is OS specific, so is really more about equivalency

The real issue is the math libraries shipped per platform and where they're used: so the underlying math entropy can manifests in a lot of places.

---

So if we can safely enable webaudio, then it's one less breakage + troubleshoot, one less difference