JoJo
/
LeOSium_webview
1
0
Fork 0
Code Pull Requests Packages Projects Releases 2 Wiki Activity
LeOSium_webview/LeOS/patches/00Fonts-fingerprinting-miti...

627 lines
30 KiB
Diff
Raw Blame History

From: uazo <uazo@users.noreply.github.com>
Date: Wed, 1 Mar 2023 15:37:55 +0000
Subject: Fonts fingerprinting mitigation
The patch disables the use of non-standard fonts by blink,
used for device fingerprinting.
Access to local fonts and downloading fonts via Android
Downloadable Fonts API is disabled.
In windows, the patch exposes only fonts from the default
installation based on the user language exposed to the websites,
eliminating the ability to retrieve fonts handled differently
by gdi and directwrite.
It is possible to restore the original behavior via the
fonts-fingerprint-mitigation flag, which is active by default.
License: GPL-2.0-or-later - https://spdx.org/licenses/GPL-2.0-or-later.html
---
chrome/browser/about_flags.cc | 5 +
chrome/browser/flag_descriptions.cc | 5 +
chrome/browser/flag_descriptions.h | 3 +
content/common/features.cc | 8 +-
skia/ext/skia_utils_win.cc | 20 ++
skia/ext/skia_utils_win.h | 3 +
third_party/blink/common/features.cc | 6 +-
third_party/blink/public/common/features.h | 3 +
third_party/blink/renderer/platform/BUILD.gn | 1 +
.../renderer/platform/fonts/font_cache.h | 2 +-
.../fonts/skia/bromite_allowed_fonts.h | 270 ++++++++++++++++++
.../platform/fonts/skia/font_cache_skia.cc | 44 ++-
.../platform/fonts/win/font_cache_skia_win.cc | 7 +-
13 files changed, 363 insertions(+), 14 deletions(-)
create mode 100644 third_party/blink/renderer/platform/fonts/skia/bromite_allowed_fonts.h
diff --git a/chrome/browser/about_flags.cc b/chrome/browser/about_flags.cc
--- a/chrome/browser/about_flags.cc
+++ b/chrome/browser/about_flags.cc
@@ -10408,6 +10408,11 @@ const FeatureEntry kFeatureEntries[] = {
kClipboardMaximumAgeVariations,
"ClipboardMaximumAge")},
+ {"fonts-fingerprint-mitigation",
+ flag_descriptions::kFontsFingerprintMitigationName,
+ flag_descriptions::kFontsFingerprintMitigationDescription, kOsAll,
+ FEATURE_VALUE_TYPE(blink::features::kFontsFingerprintMitigation)},
+
#if BUILDFLAG(IS_CHROMEOS_ASH)
{"enable-media-dynamic-cgroup", flag_descriptions::kMediaDynamicCgroupName,
flag_descriptions::kMediaDynamicCgroupDescription, kOsCrOS,
diff --git a/chrome/browser/flag_descriptions.cc b/chrome/browser/flag_descriptions.cc
--- a/chrome/browser/flag_descriptions.cc
+++ b/chrome/browser/flag_descriptions.cc
@@ -159,6 +159,11 @@ const char kClipboardUnsanitizedContentDescription[] =
"Allows reading/writing unsanitized content from/to the clipboard. "
"Currently, it is only applicable to HTML format. See crbug.com/1268679.";
+const char kFontsFingerprintMitigationName[] =
+ "Enable fonts fingerprint mitigation";
+const char kFontsFingerprintMitigationDescription[] =
+ "Filters the list of fonts allowing only standard ones to be used.";
+
const char kChromeRootStoreEnabledName[] = "Chrome Root Store";
const char kChromeRootStoreEnabledDescription[] =
"Enable use of Chrome Root Store over platform roots. "
diff --git a/chrome/browser/flag_descriptions.h b/chrome/browser/flag_descriptions.h
--- a/chrome/browser/flag_descriptions.h
+++ b/chrome/browser/flag_descriptions.h
@@ -131,6 +131,9 @@ extern const char kClickToCallDescription[];
extern const char kClipboardUnsanitizedContentName[];
extern const char kClipboardUnsanitizedContentDescription[];
+extern const char kFontsFingerprintMitigationName[];
+extern const char kFontsFingerprintMitigationDescription[];
+
extern const char kClipboardMaximumAgeName[];
extern const char kClipboardMaximumAgeDescription[];
diff --git a/content/common/features.cc b/content/common/features.cc
--- a/content/common/features.cc
+++ b/content/common/features.cc
@@ -21,8 +21,8 @@ BASE_FEATURE(kAllowContentInitiatedDataUrlNavigations,
// Allows Blink to request fonts from the Android Downloadable Fonts API through
// the service implemented on the Java side.
BASE_FEATURE(kAndroidDownloadableFontsMatching,
- "AndroidDownloadableFontsMatching",
- base::FEATURE_ENABLED_BY_DEFAULT);
+ "AndroidDownloadableFontsMatching", // disabled
+ base::FEATURE_DISABLED_BY_DEFAULT); // by default
// The following two features, when enabled, result in the browser process only
// asking the renderer process to run beforeunload handlers if it knows such
@@ -195,8 +195,8 @@ const base::FeatureParam<int> kFledgeLimitNumAuctionsParam{
// font name or postscript name. Rolling out behind a flag, as enabling this
// enables a font indexer on Android which we need to test in the field first.
BASE_FEATURE(kFontSrcLocalMatching,
- "FontSrcLocalMatching",
- base::FEATURE_ENABLED_BY_DEFAULT);
+ "FontSrcLocalMatching", // disable
+ base::FEATURE_DISABLED_BY_DEFAULT); // by default
// Feature controlling whether or not memory pressure signals will be forwarded
// to the GPU process.
diff --git a/skia/ext/skia_utils_win.cc b/skia/ext/skia_utils_win.cc
--- a/skia/ext/skia_utils_win.cc
+++ b/skia/ext/skia_utils_win.cc
@@ -364,6 +364,26 @@ void CreateBitmapHeaderForXRGB888(int width,
CreateBitmapHeaderWithColorDepth(width, height, 32, hdr);
}
+void DWriteFontTypeface_GetGDIFamilyName(SkTypeface* typeface, SkString* familyName) {
+ DWriteFontTypeface* tf = reinterpret_cast<DWriteFontTypeface*>(typeface);
+ SkString localSkGDIName;
+ SkTScopedComPtr<IDWriteLocalizedStrings> familyNames;
+ BOOL exists = FALSE;
+ if (FAILED(tf->fDWriteFont->GetInformationalStrings(
+ DWRITE_INFORMATIONAL_STRING_WIN32_FAMILY_NAMES,
+ &familyNames,
+ &exists)) ||
+ !exists ||
+ FAILED(sk_get_locale_string(familyNames.get(), nullptr, &localSkGDIName)))
+ {
+ HRV(tf->fDWriteFontFamily->GetFamilyNames(&familyNames));
+ sk_get_locale_string(familyNames.get(), nullptr/*fMgr->fLocaleName.get()*/, familyName);
+ }
+ if (familyName) {
+ *familyName = localSkGDIName;
+ }
+}
+
base::win::ScopedBitmap CreateHBitmapXRGB8888(int width,
int height,
HANDLE shared_section,
diff --git a/skia/ext/skia_utils_win.h b/skia/ext/skia_utils_win.h
--- a/skia/ext/skia_utils_win.h
+++ b/skia/ext/skia_utils_win.h
@@ -13,6 +13,7 @@
#include "third_party/skia/include/core/SkImageInfo.h"
#include "third_party/skia/include/core/SkMatrix.h"
#include "third_party/skia/include/core/SkRefCnt.h"
+#include "third_party/skia/src/ports/SkTypeface_win_dw.h"
#include "build/build_config.h"
#include <windows.h>
@@ -113,6 +114,8 @@ SK_API void CreateBitmapHeaderForXRGB888(int width,
int height,
BITMAPINFOHEADER* hdr);
+SK_API void DWriteFontTypeface_GetGDIFamilyName(SkTypeface* tf, SkString* familyName);
+
// Creates an HBITMAP backed by 32-bits-per-pixel RGB data (the high bits are
// unused in each pixel).
SK_API base::win::ScopedBitmap CreateHBitmapXRGB8888(
diff --git a/third_party/blink/common/features.cc b/third_party/blink/common/features.cc
--- a/third_party/blink/common/features.cc
+++ b/third_party/blink/common/features.cc
@@ -923,7 +923,7 @@ BASE_FEATURE(kFrequencyCappingForOverlayPopupDetection,
"FrequencyCappingForOverlayPopupDetection",
base::FEATURE_ENABLED_BY_DEFAULT);
-BASE_FEATURE(kGMSCoreEmoji, "GMSCoreEmoji", base::FEATURE_ENABLED_BY_DEFAULT);
+BASE_FEATURE(kGMSCoreEmoji, "GMSCoreEmoji", base::FEATURE_DISABLED_BY_DEFAULT);
BASE_FEATURE(kGainmapHdrImages,
"GainmapHdrImages",
@@ -2036,6 +2036,10 @@ BASE_FEATURE(kWebRtcH264WithOpenH264FFmpeg,
base::FEATURE_ENABLED_BY_DEFAULT);
#endif // BUILDFLAG(RTC_USE_H264) && BUILDFLAG(ENABLE_FFMPEG_VIDEO_DECODERS)
+BASE_FEATURE(kFontsFingerprintMitigation,
+ "FontsFingerprintMitigation",
+ base::FEATURE_ENABLED_BY_DEFAULT);
+
// Exposes non-standard stats in the WebRTC getStats() API.
BASE_FEATURE(kWebRtcExposeNonStandardStats,
"WebRtc-ExposeNonStandardStats",
diff --git a/third_party/blink/public/common/features.h b/third_party/blink/public/common/features.h
--- a/third_party/blink/public/common/features.h
+++ b/third_party/blink/public/common/features.h
@@ -249,6 +249,9 @@ BLINK_COMMON_EXPORT BASE_DECLARE_FEATURE(kCompressParkableStrings);
BLINK_COMMON_EXPORT extern const base::FeatureParam<int>
kMaxDiskDataAllocatorCapacityMB;
+// Filter the list of fonts allowing the use of only standard fonts
+BLINK_COMMON_EXPORT BASE_DECLARE_FEATURE(kFontsFingerprintMitigation);
+
BLINK_COMMON_EXPORT BASE_DECLARE_FEATURE(kConsumeCodeCacheOffThread);
BLINK_COMMON_EXPORT BASE_DECLARE_FEATURE(kContentCaptureConstantStreaming);
diff --git a/third_party/blink/renderer/platform/BUILD.gn b/third_party/blink/renderer/platform/BUILD.gn
--- a/third_party/blink/renderer/platform/BUILD.gn
+++ b/third_party/blink/renderer/platform/BUILD.gn
@@ -755,6 +755,7 @@ component("platform") {
"fonts/simple_font_data.cc",
"fonts/simple_font_data.h",
"fonts/skia/font_cache_skia.cc",
+ "fonts/skia/bromite_allowed_fonts.h",
"fonts/skia/skia_text_metrics.cc",
"fonts/skia/skia_text_metrics.h",
"fonts/skia/sktypeface_factory.cc",
diff --git a/third_party/blink/renderer/platform/fonts/font_cache.h b/third_party/blink/renderer/platform/fonts/font_cache.h
--- a/third_party/blink/renderer/platform/fonts/font_cache.h
+++ b/third_party/blink/renderer/platform/fonts/font_cache.h
@@ -328,7 +328,7 @@ class PLATFORM_EXPORT FontCache final {
sk_sp<SkTypeface> CreateTypeface(const FontDescription&,
const FontFaceCreationParams&,
- std::string& name);
+ std::string& name, std::string& original_name);
#if BUILDFLAG(IS_ANDROID) || BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
static AtomicString GetFamilyNameForCharacter(SkFontMgr*,
diff --git a/third_party/blink/renderer/platform/fonts/skia/bromite_allowed_fonts.h b/third_party/blink/renderer/platform/fonts/skia/bromite_allowed_fonts.h
new file mode 100644
--- /dev/null
+++ b/third_party/blink/renderer/platform/fonts/skia/bromite_allowed_fonts.h
@@ -0,0 +1,270 @@
+/*
+ This file is part of Bromite.
+
+ Bromite is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ Bromite is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with Bromite. If not, see <https://www.gnu.org/licenses/>.
+*/
+
+#include "base/logging.h"
+#include "base/command_line.h"
+#include "ui/base/ui_base_switches.h"
+#include "base/strings/string_util.h"
+
+namespace blink {
+
+const char16_t* kAllowedFontNames[] = {
+ u"Sans", u"Arial", u"MS UI Gothic", u"Microsoft Sans Serif",
+ u"Segoe UI", u"Calibri", u"Times New Roman", u"Courier New",
+ // also used
+ u"Monospace",
+#if BUILDFLAG(IS_ANDROID)
+ u"default", u"sans-serif", u"serif", u"cursive", u"fantasy",
+ u"Courier", u"Courier 10 Pitch", u"Courier New"
+#endif
+#if BUILDFLAG(IS_WIN)
+ // see https://learn.microsoft.com/en-us/typography/fonts/windows_11_font_list
+ u"Arial", u"Arial Italic", u"Arial Bold", u"Arial Bold Italic", u"Arial Black",
+ u"Bahnschrift", u"Bahnschrift Light", u"Bahnschrift SemiBold",
+ u"Calibri Light", u"Calibri Light Italic", u"Calibri", u"Calibri Italic",
+ u"Calibri Bold", u"Calibri Bold Italic", u"Cambria", u"Cambria Italic",
+ u"Cambria Bold", u"Cambria Bold Italic", u"Cambria Math", u"Candara Light",
+ u"Candara Light Italic", u"Candara", u"Candara Italic", u"Candara Bold",
+ u"Candara Bold Italic", u"Cascadia Code ExtraLight", u"Cascadia Code ExtraLight Italic",
+ u"Cascadia Code Light", u"Cascadia Code Light Italic", u"Cascadia Code SemiLight",
+ u"Cascadia Code SemiLight Italic", u"Cascadia Code Regular", u"Cascadia Code Italic",
+ u"Cascadia Code SemiBold", u"Cascadia Code SemiBold Italic", u"Cascadia Code Bold",
+ u"Cascadia Code Bold Italic", u"Cascadia Mono ExtraLight", u"Cascadia Mono ExtraLight Italic",
+ u"Cascadia Mono Light", u"Cascadia Mono Light Italic", u"Cascadia Mono SemiLight",
+ u"Cascadia Mono SemiLight Italic", u"Cascadia Mono Regular", u"Cascadia Mono Italic",
+ u"Cascadia Mono SemiBold", u"Cascadia Mono SemiBold Italic", u"Cascadia Mono Bold",
+ u"Cascadia Mono Bold Italic", u"Comic Sans MS", u"Comic Sans MS Italic", u"Comic Sans MS Bold",
+ u"Comic Sans MS Bold Italic", u"Consolas", u"Consolas Italic", u"Consolas Bold",
+ u"Consolas Bold Italic", u"Constantia", u"Constantia Italic", u"Constantia Bold",
+ u"Constantia Bold Italic", u"Corbel Light", u"Corbel Light Italic", u"Corbel",
+ u"Corbel Italic", u"Corbel Bold", u"Corbel Bold Italic", u"Courier New",
+ u"Courier New Italic", u"Courier New Bold", u"Courier New Bold Italic", u"Ebrima",
+ u"Ebrima Bold", u"Franklin Gothic", u"Franklin Gothic Medium", u"Franklin Gothic Medium Italic",
+ u"Gabriola", u"Gadugi", u"Gadugi Bold", u"Georgia", u"Georgia Italic",
+ u"Georgia Bold", u"Georgia Bold Italic", u"HoloLens MDL2 Assets", u"Impact",
+ u"Ink Free", u"Javanese Text", u"Leelawadee UI", u"Leelawadee UI Semilight",
+ u"Leelawadee UI Bold", u"Lucida Console", u"Lucida Sans Unicode", u"Malgun Gothic",
+ u"Malgun Gothic Bold", u"Malgun Gothic Semilight", u"Marlett", u"Microsoft Himalaya",
+ u"Microsoft JhengHei Light", u"Microsoft JhengHei", u"Microsoft JhengHei Bold",
+ u"Microsoft JhengHei UI Light", u"Microsoft JhengHei UI", u"Microsoft JhengHei UI Bold",
+ u"Microsoft New Tai Lue", u"Microsoft New Tai Lue Bold", u"Microsoft PhagsPa",
+ u"Microsoft PhagsPa Bold", u"Microsoft Sans Serif", u"Microsoft Tai Le",
+ u"Microsoft Tai Le Bold", u"Microsoft YaHei Light", u"Microsoft YaHei",
+ u"Microsoft YaHei Bold", u"Microsoft YaHei UI Light", u"Microsoft YaHei UI",
+ u"Microsoft YaHei UI Bold", u"Microsoft Yi Baiti", u"MingLiU-ExtB",
+ u"PMingLiU-ExtB", u"MingLiU_HKSCS-ExtB", u"Mongolian Baiti", u"MS Gothic",
+ u"MS PGothic", u"MS UI Gothic", u"MV Boli", u"Myanmar Text", u"Myanmar Text Bold",
+ u"Nirmala UI Semilight", u"Nirmala UI", u"Nirmala UI Bold", u"Palatino Linotype",
+ u"Palatino Linotype Italic", u"Palatino Linotype Bold", u"Palatino Linotype Bold Italic",
+ u"Segoe Fluent Icons", u"Segoe MDL2 Assets", u"Segoe Print", u"Segoe Print Bold",
+ u"Segoe Script", u"Segoe Script Bold", u"Segoe UI Light", u"Segoe UI Light Italic",
+ u"Segoe UI Semilight", u"Segoe UI Semilight Italic", u"Segoe UI", u"Segoe UI Italic",
+ u"Segoe UI Semibold", u"Segoe UI Semibold Italic", u"Segoe UI Bold", u"Segoe UI Bold Italic",
+ u"Segoe UI Black", u"Segoe UI Black Italic", u"Segoe UI Emoji", u"Segoe UI Historic",
+ u"Segoe UI Symbol", u"Segoe UI Variable Display Light", u"Segoe UI Variable Display Semilight",
+ u"Segoe UI Variable Display Regular", u"Segoe UI Variable Display Semibold",
+ u"Segoe UI Variable Display Bold", u"Segoe UI Variable Small Light",
+ u"Segoe UI Variable Small Semilight", u"Segoe UI Variable Small Regular",
+ u"Segoe UI Variable Small Semibold", u"Segoe UI Variable Small Bold",
+ u"Segoe UI Variable Text Light", u"Segoe UI Variable Text Semilight",
+ u"Segoe UI Variable Text Regular", u"Segoe UI Variable Text Semibold",
+ u"Segoe UI Variable Text Bold", u"SimSun", u"NSimSun", u"SimSun-ExtB", u"Sitka Banner",
+ u"Sitka Banner Italic", u"Sitka Banner Semibold", u"Sitka Banner Semibold Italic",
+ u"Sitka Banner Bold", u"Sitka Banner Bold Italic", u"Sitka Display", u"Sitka Display Italic",
+ u"Sitka Display Semibold", u"Sitka Display Semibold Italic", u"Sitka Display Bold",
+ u"Sitka Display Bold Italic", u"Sitka Small", u"Sitka Small Italic", u"Sitka Small Semibold",
+ u"Sitka Small Semibold Italic", u"Sitka Small Bold", u"Sitka Small Bold Italic", u"Sitka Heading",
+ u"Sitka Heading Italic", u"Sitka Heading Semibold", u"Sitka Heading Semibold Italic",
+ u"Sitka Heading Bold", u"Sitka Heading Bold Italic", u"Sitka Subheading",
+ u"Sitka Subheading Italic", u"Sitka Subheading Semibold", u"Sitka Subheading Semibold Italic",
+ u"Sitka Subheading Bold", u"Sitka Subheading Bold Italic", u"Sitka Text",
+ u"Sitka Text Italic", u"Sitka Text Semibold", u"Sitka Text Semibold Italic",
+ u"Sitka Text Bold", u"Sitka Text Bold Italic", u"Sylfaen", u"Symbol",
+ u"Tahoma", u"Tahoma Bold", u"Times New Roman", u"Times New Roman Italic", u"Times New Roman Bold",
+ u"Times New Roman Bold Italic", u"Trebuchet MS", u"Trebuchet MS Italic", u"Trebuchet MS Bold",
+ u"Trebuchet MS Bold Italic", u"Verdana", u"Verdana Italic", u"Verdana Bold",
+ u"Verdana Bold Italic", u"Webdings", u"Wingdings", u"Yu Gothic", u"Yu Gothic Light",
+ u"Yu Gothic Regular", u"Yu Gothic Medium", u"Yu Gothic Bold", u"Yu Gothic UI", u"Yu Gothic UI Light",
+ u"Yu Gothic UI Semilight", u"Yu Gothic UI Regular", u"Yu Gothic UI Semibold", u"Yu Gothic UI Bold",
+#endif
+};
+
+#if BUILDFLAG(IS_WIN)
+
+// List from https://learn.microsoft.com/en-us/windows/deployment/windows-10-missing-fonts
+// and https://learn.microsoft.com/en-us/typography/fonts/windows_11_font_list
+// https://unicode-org.github.io/cldr-staging/charts/37/supplemental/locale_coverage.html
+
+// Languages using Arabic script; e.g., Arabic, Persian, Urdu.
+const char16_t* kAllowedFontNames_ar_fa_ur[] = {
+ u"Aldhabi", u"Andalus", u"Arabic Typesetting", u"Microsoft Uighur",
+ u"Sakkal Majalla", u"Simplified Arabic", u"Traditional Arabic",
+ u"Urdu Typesetting"};
+// Languages using Bangla script; e.g., Assamese, Bangla.
+const char16_t* kAllowedFontNames_as_bn[] = {
+ u"Shonar Bangla", u"Vrinda"};
+// Languages using Canadian Syllabics script; e.g., Inuktitut.
+const char16_t* kAllowedFontNames_iu[] = {
+ u"Euphemia"};
+// Cherokee.
+const char16_t* kAllowedFontNames_chr[] = {
+ u"Plantagenet Cherokee"};
+// Language using Devanagari script; e.g., Hindi, Konkani, Marathi.
+const char16_t* kAllowedFontNames_hi_kok_mr[] = {
+ u"Aparajita", u"Kokila", u"Mangal", u"Sanskrit Text",
+ u"Utsaah"};
+// Languages using Ethiopic script; e.g., Amharic, Tigrinya.
+const char16_t* kAllowedFontNames_am_ti[] = {
+ u"Nyala"};
+// Gujarati; any other language using Gujurati script.
+const char16_t* kAllowedFontNames_gu[] = {
+ u"Shruti"};
+// Panjabi; any other language using Gurmukhi script
+const char16_t* kAllowedFontNames_pa[] = {
+ u"Raavi"};
+// Chinese
+const char16_t* kAllowedFontNames_zh[] = {
+ // Simplified Chinese
+ u"DengXian", u"FangSong", u"KaiTi", u"SimHei",
+ // Traditional Chinese
+ u"DFKai-SB", u"MingLiU"};
+// Hebrew
+const char16_t* kAllowedFontNames_he[] = {
+ u"Aharoni Bold", u"David", u"FrankRuehl", u"Gisha",
+ u"Levenim MT", u"Miriam", u"Narkisim", u"Rod"};
+// Japanese
+const char16_t* kAllowedFontNames_ja[] = {
+ u"BIZ UDGothic", u"BIZ UDMincho Medium", u"Meiryo", u"MS Mincho",
+ u"UD Digi Kyokasho", u"Yu Mincho"};
+// Kannada; any other language using Kannada script.
+const char16_t* kAllowedFontNames_kn[] = {
+ u"Tunga"};
+// Cambodian; any other language using Khmer script.
+const char16_t* kAllowedFontNames_km[] = {
+ u"DaunPenh", u"Khmer UI", u"MoolBoran"};
+// Korean
+const char16_t* kAllowedFontNames_ko[] = {
+ u"Batang", u"Dotum", u"Gulim", u"Gungsuh"};
+// Lao; any other language using Lao script.
+const char16_t* kAllowedFontNames_lo[] = {
+ u"DokChampa", u"Lao UI"};
+// Malayalam; any other language using Malayalam script.
+const char16_t* kAllowedFontNames_ml[] = {
+ u"Kartika"};
+// Odia; any other language using Odia script.
+const char16_t* kAllowedFontNames_or[] = {
+ u"Kalinga"};
+// Sinhala; any other language using Sinhala script.
+const char16_t* kAllowedFontNames_si[] = {
+ u"Iskoola Pota"};
+// Languages using Syriac script.
+const char16_t* kAllowedFontNames_syr[] = {
+ u"Estrangelo Edessa"};
+// Tamil; any other language using Tamil script.
+const char16_t* kAllowedFontNames_ta[] = {
+ u"Latha", u"Vijaya"};
+// Telugu; any other language using Telugu script.
+const char16_t* kAllowedFontNames_te[] = {
+ u"Gautami", u"Vani"};
+// Thai; any other language using Thai script.
+const char16_t* kAllowedFontNames_th[] = {
+ u"Angsana New", u"AngsanaUPC", u"Browallia New", u"BrowalliaUPC",
+ u"Cordia New", u"CordiaUPC", u"DilleniaUPC", u"EucrosiaUPC",
+ u"FreesiaUPC", u"IrisUPC", u"JasmineUPC", u"KodchiangUPC",
+ u"Leelawadee", u"LilyUPC"};
+
+#endif
+
+template<int N>
+bool IsInList(const std::u16string& font_name, const char16_t*(&list)[N]) {
+ for(int t = 0; t < N; ++t)
+ if (base::EqualsCaseInsensitiveASCII(font_name, list[t]))
+ return true;
+ return false;
+}
+
+bool IsFontAllowed(const std::u16string& font_name) {
+ for (const char16_t* last_resort_font_name : kAllowedFontNames) {
+ if (base::EqualsCaseInsensitiveASCII(font_name, last_resort_font_name))
+ return true;
+ }
+
+#if BUILDFLAG(IS_ANDROID)
+ // allow synthetic family names (used for emoji)
+ if (base::EndsWith(font_name, u"##fallback", base::CompareCase::INSENSITIVE_ASCII))
+ return true;
+#endif
+
+#if BUILDFLAG(IS_WIN)
+ // check fonts against locale
+ const base::CommandLine& command_line = *base::CommandLine::ForCurrentProcess();
+ if (command_line.HasSwitch(switches::kLang)) {
+ std::string locale = command_line.GetSwitchValueASCII(::switches::kLang);
+
+ if (locale == "ar" || locale == "fa" || locale == "ur")
+ return IsInList(font_name, kAllowedFontNames_ar_fa_ur);
+ else if (locale == "as" || locale == "bn")
+ return IsInList(font_name, kAllowedFontNames_as_bn);
+ else if (locale == "iu")
+ return IsInList(font_name, kAllowedFontNames_iu);
+ else if (locale == "chr")
+ return IsInList(font_name, kAllowedFontNames_chr);
+ else if (locale == "hi" || locale == "kok" || locale == "mr")
+ return IsInList(font_name, kAllowedFontNames_hi_kok_mr);
+ else if (locale == "am" || locale == "ti")
+ return IsInList(font_name, kAllowedFontNames_am_ti);
+ else if (locale == "gu")
+ return IsInList(font_name, kAllowedFontNames_gu);
+ else if (locale == "pa")
+ return IsInList(font_name, kAllowedFontNames_pa);
+ else if (locale == "zh")
+ return IsInList(font_name, kAllowedFontNames_zh);
+ else if (locale == "he")
+ return IsInList(font_name, kAllowedFontNames_he);
+ else if (locale == "ja")
+ return IsInList(font_name, kAllowedFontNames_ja);
+ else if (locale == "kn")
+ return IsInList(font_name, kAllowedFontNames_kn);
+ else if (locale == "km")
+ return IsInList(font_name, kAllowedFontNames_km);
+ else if (locale == "ko")
+ return IsInList(font_name, kAllowedFontNames_ko);
+ else if (locale == "lo")
+ return IsInList(font_name, kAllowedFontNames_lo);
+ else if (locale == "ml")
+ return IsInList(font_name, kAllowedFontNames_ml);
+ else if (locale == "or")
+ return IsInList(font_name, kAllowedFontNames_or);
+ else if (locale == "si")
+ return IsInList(font_name, kAllowedFontNames_si);
+ else if (locale == "syr")
+ return IsInList(font_name, kAllowedFontNames_syr);
+ else if (locale == "ta")
+ return IsInList(font_name, kAllowedFontNames_ta);
+ else if (locale == "te")
+ return IsInList(font_name, kAllowedFontNames_te);
+ else if (locale == "th")
+ return IsInList(font_name, kAllowedFontNames_th);
+ }
+#endif
+
+ //LOG(INFO) << "---not allowed " << font_name;
+
+ return false;
+}
+
+}
diff --git a/third_party/blink/renderer/platform/fonts/skia/font_cache_skia.cc b/third_party/blink/renderer/platform/fonts/skia/font_cache_skia.cc
--- a/third_party/blink/renderer/platform/fonts/skia/font_cache_skia.cc
+++ b/third_party/blink/renderer/platform/fonts/skia/font_cache_skia.cc
@@ -58,12 +58,35 @@
#error This file should not be used by MacOS.
#endif
+#include "base/feature_list.h"
+#include "base/strings/utf_string_conversions.h"
+#include "third_party/blink/public/common/features.h"
+#include "bromite_allowed_fonts.h"
+#if BUILDFLAG(IS_WIN)
+#include "skia/ext/skia_utils_win.h"
+#endif
+
namespace blink {
AtomicString ToAtomicString(const SkString& str) {
return AtomicString::FromUTF8(str.c_str(), str.size());
}
+sk_sp<SkTypeface> ReturnIfAllowed(sk_sp<SkTypeface> typeface, bool check_fonts) {
+ if (!check_fonts) return typeface;
+#if BUILDFLAG(IS_WIN)
+ if (!typeface) return nullptr;
+
+ SkString skia_family_name;
+ skia::DWriteFontTypeface_GetGDIFamilyName(typeface.get(), &skia_family_name);
+ const AtomicString& family = ToAtomicString(skia_family_name);
+ std::string name = family.Utf8();
+ if (!IsFontAllowed(base::UTF8ToUTF16(name)))
+ return nullptr;
+#endif // BUILDFLAG(IS_WIN)
+ return typeface;
+}
+
#if BUILDFLAG(IS_ANDROID) || BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
// This function is called on android or when we are emulating android fonts on
// linux and the embedder has overriden the default fontManager with
@@ -201,7 +224,7 @@ scoped_refptr<SimpleFontData> FontCache::GetLastResortFallbackFont(
sk_sp<SkTypeface> FontCache::CreateTypeface(
const FontDescription& font_description,
const FontFaceCreationParams& creation_params,
- std::string& name) {
+ std::string& name, std::string& original_name) {
#if !BUILDFLAG(IS_WIN) && !BUILDFLAG(IS_ANDROID) && !BUILDFLAG(IS_FUCHSIA)
// TODO(fuchsia): Revisit this and other font code for Fuchsia.
@@ -219,6 +242,16 @@ sk_sp<SkTypeface> FontCache::CreateTypeface(
DCHECK_NE(family, font_family_names::kSystemUi);
// convert the name to utf8
name = family.Utf8();
+ if (original_name.empty()) original_name = name;
+
+ bool check_fonts = base::FeatureList::IsEnabled(features::kFontsFingerprintMitigation);
+ if (check_fonts) {
+ if (!IsFontAllowed(base::UTF8ToUTF16(name))) {
+ return nullptr;
+ } else if (!IsFontAllowed(base::UTF8ToUTF16(original_name))) {
+ return nullptr;
+ }
+ }
#if BUILDFLAG(IS_ANDROID)
// If this is a locale-specific family, try looking up locale-specific
@@ -226,15 +259,15 @@ sk_sp<SkTypeface> FontCache::CreateTypeface(
if (const char* locale_family = GetLocaleSpecificFamilyName(family)) {
if (sk_sp<SkTypeface> typeface =
CreateLocaleSpecificTypeface(font_description, locale_family))
- return typeface;
+ return ReturnIfAllowed(typeface, check_fonts);
}
#endif // BUILDFLAG(IS_ANDROID)
// TODO(https://crbug.com/1425390: Assign FontCache::font_manager_ in the
// ctor.
auto font_manager = font_manager_ ? font_manager_ : SkFontMgr::RefDefault();
- return sk_sp<SkTypeface>(font_manager->matchFamilyStyle(
- name.empty() ? nullptr : name.c_str(), font_description.SkiaFontStyle()));
+ return ReturnIfAllowed(sk_sp<SkTypeface>(font_manager->matchFamilyStyle(
+ name.empty() ? nullptr : name.c_str(), font_description.SkiaFontStyle())), check_fonts);
}
#if !BUILDFLAG(IS_WIN)
@@ -244,6 +277,7 @@ std::unique_ptr<FontPlatformData> FontCache::CreateFontPlatformData(
float font_size,
AlternateFontName alternate_name) {
std::string name;
+ std::string original_name;
sk_sp<SkTypeface> typeface;
#if BUILDFLAG(IS_ANDROID) || BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
@@ -264,7 +298,7 @@ std::unique_ptr<FontPlatformData> FontCache::CreateFontPlatformData(
noto_color_emoji_from_gmscore)) {
typeface = CreateTypefaceFromUniqueName(creation_params);
} else {
- typeface = CreateTypeface(font_description, creation_params, name);
+ typeface = CreateTypeface(font_description, creation_params, name, original_name);
}
#else
typeface = CreateTypeface(font_description, creation_params, name);
diff --git a/third_party/blink/renderer/platform/fonts/win/font_cache_skia_win.cc b/third_party/blink/renderer/platform/fonts/win/font_cache_skia_win.cc
--- a/third_party/blink/renderer/platform/fonts/win/font_cache_skia_win.cc
+++ b/third_party/blink/renderer/platform/fonts/win/font_cache_skia_win.cc
@@ -427,6 +427,7 @@ std::unique_ptr<FontPlatformData> FontCache::CreateFontPlatformData(
sk_sp<SkTypeface> typeface;
std::string name;
+ std::string original_name;
if (alternate_font_name == AlternateFontName::kLocalUniqueFace &&
RuntimeEnabledFeatures::FontSrcLocalMatchingEnabled()) {
@@ -438,7 +439,7 @@ std::unique_ptr<FontPlatformData> FontCache::CreateFontPlatformData(
return nullptr;
} else {
- typeface = CreateTypeface(font_description, creation_params, name);
+ typeface = CreateTypeface(font_description, creation_params, name, original_name);
// For a family match, Windows will always give us a valid pointer here,
// even if the face name is non-existent. We have to double-check and see if
@@ -472,7 +473,7 @@ std::unique_ptr<FontPlatformData> FontCache::CreateFontPlatformData(
FontDescription adjusted_font_description = font_description;
adjusted_font_description.SetWeight(variant_weight);
typeface =
- CreateTypeface(adjusted_font_description, adjusted_params, name);
+ CreateTypeface(adjusted_font_description, adjusted_params, name, original_name);
if (!typeface ||
!TypefacesMatchesFamily(typeface.get(), adjusted_name)) {
return nullptr;
@@ -484,7 +485,7 @@ std::unique_ptr<FontPlatformData> FontCache::CreateFontPlatformData(
FontDescription adjusted_font_description = font_description;
adjusted_font_description.SetStretch(variant_stretch);
typeface =
- CreateTypeface(adjusted_font_description, adjusted_params, name);
+ CreateTypeface(adjusted_font_description, adjusted_params, name, original_name);
if (!typeface ||
!TypefacesMatchesFamily(typeface.get(), adjusted_name)) {
return nullptr;
--
2.25.1
View Git Blame Copy Permalink