Custom fonts can be used for fingerprinting.
Solution: Disable custom fonts from loading.
I'm not quite sure how I can do that in a WebExtension.
Since this a different attack path I will have to wrap my head around it first. Let's see if I can find a way to protect it.
Thank you for your interest in my suggestion. I with you all my luck.
I use https://github.com/da2x/fluxfonts to blur the fonts count systemwide.
Yes on firefox you can limit fonts to single font , it helps
@NewGen66 is right, Firefox already provides an option to activate only a selected list of fonts*, so there's not really a need to add this feature to CanvasBlocker as well.
*https://www.soeren-hentzschel.at/firefox/firefox-52-neue-privatsphaere-einstellung-gegen-font-fingerprinting (in German)
I think there isn't even a good way to add this to CB. There is no API available and the only way I see is to monitor everything that scripts do... which is a huge performance burden and a nightmare to build and maintain.
Thanks guys for the valuable input which brings me to the conclusion of not implementing that in CB.
@kkapsner - here's a development that might interest you - it's a very simple extension, but given where it's hosted i (and @Thorin-Oakenpants and others) don't really trust it - if you want to rethink incorporating anti-font fingerprinting, maybe this would help - the add-on gens a unique FP on every page load/reload...
You are right not to trust this extension... it's very easy to detect and does not really protect against the fingerprinting (e.g. instead of offset... the fingerprinter could just use client...).
As like other extensions regarding fingerprinting they often only protect against the proof of concept that is available in public but do not think about other attack vectors... and with fonts there are just too many. I think it's better to do this upstream.
thanks for your comment - this confirms what 'pants' felt about it :)
Most helpful comment
I think there isn't even a good way to add this to CB. There is no API available and the only way I see is to monitor everything that scripts do... which is a huge performance burden and a nightmare to build and maintain.