commit 4f076ff63ec3f06253dc323e2a75062be429fbf0
parent 8079bbdecf92444da2ab4379be5b3ba1e32b09ae
Author: Pier Angelo Vendrame <pierov@torproject.org>
Date: Wed, 6 Jul 2022 22:06:01 +0200
BB 43140: Tighten up fonts on Linux.
We ship a fontconfig configuration to esnure all Linux users have the
same defaults and reduce the chances of fingerprinting.
We used to add this file in tor-browser-build, but some users might
skip it by using the browser executable without the wrapper script.
Therefore, we decided to activate the file with the FontConfig API
instead of the environment variables.
Bug 41043: Hardcode the UI font on Linux
The mechanism to choose the UI font does not play well with our
fontconfig configuration. As a result, the final criterion to choose
the font for the UI was its version.
Since we hardcode Arimo as a default sans-serif on preferences, we use
it also for the UI. FontConfig will fall back to some other font for
scripts Arimo does not cover as expected (we tested with Japanese).
Bug 43141: Hardcode system-ui to Arimo.
Diffstat:
8 files changed, 237 insertions(+), 4 deletions(-)
diff --git a/browser/fonts/fonts.conf b/browser/fonts/fonts.conf
@@ -0,0 +1,183 @@
+<?xml version="1.0"?>
+<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
+<!--
+**DO NOT EDIT THIS FILE!**
+This file sets Tor Browser's bundled fonts as the only available system fonts
+and standardizes rendering settings.
+Any changes might deanonymize you, or expose you to fingerprinting vectors.
+-->
+<!--
+Derived from fonts.conf.in of Fontconfig.
+
+Copyright © 2000,2001,2002,2003,2004,2006,2007 Keith Packard
+Copyright © 2005 Patrick Lam
+Copyright © 2009 Roozbeh Pournader
+Copyright © 2008,2009 Red Hat, Inc.
+Copyright © 2008 Danilo Šegan
+Copyright © 2012 Google, Inc.
+
+
+Permission to use, copy, modify, distribute, and sell this software and its
+documentation for any purpose is hereby granted without fee, provided that
+the above copyright notice appear in all copies and that both that
+copyright notice and this permission notice appear in supporting
+documentation, and that the name of the author(s) not be used in
+advertising or publicity pertaining to distribution of the software without
+specific, written prior permission. The authors make no
+representations about the suitability of this software for any purpose. It
+is provided "as is" without express or implied warranty.
+
+THE AUTHOR(S) DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
+INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
+EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY SPECIAL, INDIRECT OR
+CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,
+DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
+TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
+-->
+<fontconfig>
+
+<!-- Font directory list -->
+
+ <dir prefix="cwd">fonts</dir>
+
+<!--
+ Accept deprecated 'mono' alias, replacing it with 'monospace'
+-->
+ <match target="pattern">
+ <test qual="any" name="family">
+ <string>mono</string>
+ </test>
+ <edit name="family" mode="assign" binding="same">
+ <string>monospace</string>
+ </edit>
+ </match>
+
+<!--
+ Accept alternate 'sans serif' spelling, replacing it with 'sans-serif'
+-->
+ <match target="pattern">
+ <test qual="any" name="family">
+ <string>sans serif</string>
+ </test>
+ <edit name="family" mode="assign" binding="same">
+ <string>sans-serif</string>
+ </edit>
+ </match>
+
+<!--
+ Accept deprecated 'sans' alias, replacing it with 'sans-serif'
+-->
+ <match target="pattern">
+ <test qual="any" name="family">
+ <string>sans</string>
+ </test>
+ <edit name="family" mode="assign" binding="same">
+ <string>sans-serif</string>
+ </edit>
+ </match>
+
+<!--
+ Set our default generic families.
+-->
+ <match target="pattern">
+ <test qual="any" name="family">
+ <string>sans-serif</string>
+ </test>
+ <edit name="family" mode="assign" binding="same">
+ <string>Arimo</string>
+ </edit>
+ </match>
+ <match target="pattern">
+ <test qual="any" name="family">
+ <string>serif</string>
+ </test>
+ <edit name="family" mode="assign" binding="same">
+ <string>Tinos</string>
+ </edit>
+ </match>
+ <match target="pattern">
+ <test qual="any" name="family">
+ <string>monospace</string>
+ </test>
+ <edit name="family" mode="assign" binding="same">
+ <string>Cousine</string>
+ </edit>
+ </match>
+
+<!--
+ tor-browser#41799, tor-browser-build#41237: Add some aliases for
+ compatibility.
+-->
+ <match target="pattern">
+ <test qual="any" name="family">
+ <string>Arial</string>
+ </test>
+ <edit name="family" mode="assign" binding="same">
+ <string>Arimo</string>
+ </edit>
+ </match>
+ <match target="pattern">
+ <test qual="any" name="family">
+ <string>Times New Roman</string>
+ </test>
+ <edit name="family" mode="assign" binding="same">
+ <string>Tinos</string>
+ </edit>
+ </match>
+ <match target="pattern">
+ <test qual="any" name="family">
+ <string>Courier New</string>
+ </test>
+ <edit name="family" mode="assign" binding="same">
+ <string>Cousine</string>
+ </edit>
+ </match>
+ <match target="pattern">
+ <test qual="any" name="family">
+ <string>Helvetica</string>
+ </test>
+ <edit name="family" mode="assign" binding="same">
+ <string>Arimo</string>
+ </edit>
+ </match>
+ <match target="pattern">
+ <test qual="any" name="family">
+ <string>Times</string>
+ </test>
+ <edit name="family" mode="assign" binding="same">
+ <string>Tinos</string>
+ </edit>
+ </match>
+ <match target="pattern">
+ <test qual="any" name="family">
+ <string>Courier</string>
+ </test>
+ <edit name="family" mode="assign" binding="same">
+ <string>Cousine</string>
+ </edit>
+ </match>
+
+<!-- Font cache directory list -->
+
+ <cachedir prefix="xdg">fontconfig</cachedir>
+
+ <config>
+<!--
+ Rescan configuration every 30 seconds when FcFontSetList is called
+ -->
+ <rescan>
+ <int>30</int>
+ </rescan>
+ </config>
+
+ <!-- Standardize rendering settings. -->
+ <match target="pattern">
+ <edit name="antialias" mode="assign"><bool>true</bool></edit>
+ <edit name="autohint" mode="assign"><bool>false</bool></edit>
+ <edit name="hinting" mode="assign"><bool>true</bool></edit>
+ <edit name="hintstyle" mode="assign"><const>hintfull</const></edit>
+ <edit name="lcdfilter" mode="assign"><const>lcddefault</const></edit>
+ <edit name="rgba" mode="assign"><const>none</const></edit>
+ </match>
+</fontconfig>
diff --git a/browser/fonts/moz.build b/browser/fonts/moz.build
@@ -7,3 +7,6 @@
if CONFIG["MOZ_WIDGET_TOOLKIT"] in ("windows", "gtk"):
DIST_SUBDIR = ""
FINAL_TARGET_FILES.fonts += ["TwemojiMozilla.ttf"]
+
+if CONFIG["MOZ_WIDGET_TOOLKIT"] == "gtk":
+ FINAL_TARGET_FILES.fonts += ["fonts.conf"]
diff --git a/gfx/thebes/gfxFcPlatformFontList.cpp b/gfx/thebes/gfxFcPlatformFontList.cpp
@@ -2219,10 +2219,12 @@ void gfxFcPlatformFontList::GetFontList(nsAtom* aLangGroup,
FontFamily gfxFcPlatformFontList::GetDefaultFontForPlatform(
FontVisibilityProvider* aFontVisibilityProvider, const gfxFontStyle* aStyle,
nsAtom* aLanguage) {
- // Get the default font by using a fake name to retrieve the first
- // scalable font that fontconfig suggests for the given language.
+ // We hardcode Arimo also in preferences, and using the original code that
+ // tried to resolve a non-existing font did not play well with our fontconfig
+ // configuration. See
+ // https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41043
PrefFontList* prefFonts =
- FindGenericFamilies(aFontVisibilityProvider, "-moz-default"_ns,
+ FindGenericFamilies(aFontVisibilityProvider, "Arimo"_ns,
aLanguage ? aLanguage : nsGkAtoms::x_western);
NS_ASSERTION(prefFonts, "null list of generic fonts");
if (prefFonts && !prefFonts->IsEmpty()) {
diff --git a/gfx/thebes/gfxPlatformFontList.cpp b/gfx/thebes/gfxPlatformFontList.cpp
@@ -2124,6 +2124,11 @@ static void GetSystemUIFontFamilies(
#if defined(XP_MACOSX) || defined(MOZ_WIDGET_UIKIT)
*aFamilies.AppendElement() = "-apple-system"_ns;
return;
+#elif defined(MOZ_WIDGET_GTK)
+ // tor-browser#43141: Hardcode Arimo in case our custom fontconfig is
+ // missing.
+ *aFamilies.AppendElement() = "Arimo"_ns;
+ return;
#elif !defined(MOZ_WIDGET_ANDROID)
*aFamilies.AppendElement() = "sans-serif"_ns;
return;
diff --git a/layout/base/nsLayoutUtils.cpp b/layout/base/nsLayoutUtils.cpp
@@ -9650,7 +9650,9 @@ static void GetSpoofedSystemFontForRFP(LookAndFeel::FontID aFontID,
// In general, Linux uses some sans-serif, but its size can vary between
// 12px and 16px. We chose 15px because it is what Firefox is doing for the
// UI font-size.
- aName = u"sans-serif"_ns;
+ // tor-browser#43141: Hardcode Arimo in case our custom fontconfig is
+ // missing.
+ aName = u"Arimo"_ns;
aStyle.size = 15;
#else
# error "Unknown platform"
diff --git a/toolkit/mozapps/update/updater/updater.cpp b/toolkit/mozapps/update/updater/updater.cpp
@@ -3304,6 +3304,10 @@ int NS_main(int argc, NS_tchar** argv) {
putenv(const_cast<char*>("MOZ_USING_SERVICE="));
#endif
+#if defined(XP_UNIX) && !defined(XP_MACOSX)
+ unsetenv("FONTCONFIG_PATH");
+#endif
+
if (argc == 2 && NS_tstrcmp(argv[1], NS_T("--channels-allowed")) == 0) {
#ifdef MOZ_VERIFY_MAR_SIGNATURE
int rv = PopulategMARStrings();
diff --git a/toolkit/xre/nsXREDirProvider.cpp b/toolkit/xre/nsXREDirProvider.cpp
@@ -593,6 +593,25 @@ void nsXREDirProvider::FinishInitializingUserPrefs() {
}
}
+#ifdef MOZ_WIDGET_GTK
+static nsresult SetFontconfigConfigFile(nsCOMPtr<nsIFile> appDir) {
+ NS_ENSURE_TRUE(appDir, NS_ERROR_NULL_POINTER);
+ nsCOMPtr<nsIFile> confDir;
+ nsresult rv = appDir->Clone(getter_AddRefs(confDir));
+ NS_ENSURE_SUCCESS(rv, rv);
+ rv = confDir->AppendNative("fonts"_ns);
+ NS_ENSURE_SUCCESS(rv, rv);
+ nsAutoCString confPath;
+ rv = confDir->GetNativePath(confPath);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (NS_WARN_IF(setenv("FONTCONFIG_PATH", confPath.BeginReading(), 1) != 0 ||
+ setenv("FONTCONFIG_FILE", "fonts.conf", 1) != 0)) {
+ return NS_ERROR_FAILURE;
+ }
+ return NS_OK;
+}
+#endif
+
NS_IMETHODIMP
nsXREDirProvider::DoStartup() {
nsresult rv;
@@ -611,6 +630,13 @@ nsXREDirProvider::DoStartup() {
*/
MOZ_ASSERT(mPrefsInitialized);
+#ifdef MOZ_WIDGET_GTK
+ // FontConfig might be initialized by GTK/Pango, so we need to define its
+ // config variables before doing anything.
+ rv = SetFontconfigConfigFile(mGREDir);
+ NS_ENSURE_SUCCESS(rv, rv);
+#endif
+
bool safeModeNecessary = false;
nsCOMPtr<nsIAppStartup> appStartup(
mozilla::components::AppStartup::Service());
diff --git a/widget/gtk/nsLookAndFeel.cpp b/widget/gtk/nsLookAndFeel.cpp
@@ -1268,6 +1268,13 @@ static void GetSystemFontInfo(GtkStyleContext* aStyle, nsString* aFontName,
gfxFontStyle* aFontStyle) {
aFontStyle->style = FontSlantStyle::NORMAL;
+#ifdef BASE_BROWSER_VERSION
+ *aFontName = u"\"Arimo\"";
+ aFontStyle->systemFont = true;
+ aFontStyle->weight = FontWeight::NORMAL;
+ aFontStyle->stretch = FontStretch::NORMAL;
+ aFontStyle->size = 14;
+#else
// As in
// https://git.gnome.org/browse/gtk+/tree/gtk/gtkwidget.c?h=3.22.19#n10333
PangoFontDescription* desc;
@@ -1302,6 +1309,7 @@ static void GetSystemFontInfo(GtkStyleContext* aStyle, nsString* aFontName,
aFontStyle->size = size;
pango_font_description_free(desc);
+#endif
}
bool nsLookAndFeel::NativeGetFont(FontID aID, nsString& aFontName,
