Add font permission: allow 1st-party fonts, block 3rd-party/remote fonts

Font foundries, like Google’s, can track to which sites you visit when those sites deliver fonts from the factory instead of using their own. The site points the user at the font foundry to get the 3rd-party fonts which means the font foundry knows where you visited, and when.

I want to allow 1st-party fonts while blocking 3rd-party (off-domain) fonts. In Brave’s shields, font blocking is either all on or all off. Please add an option to font permissions: “Allow 1st-party fonts (block 3rd-party fonts”.

Not all fonts are evil (used for tracking). Since the user already opted to visit a web site, 1st-party fonts will not provide any more tracking than the site can already do otherwise. Sites use 3rd-party fonts either at font foundries or at CDNs (Content Delivery Networks) to offload some of the bandwidth on their web site to the off-domain service. They also don’t have to maintain their own fonts. They are not concerned how 3rd-party fonts can track their visitors.

Under permissions for fonts, the added option would look like:

  • Sites can ask to use fonts installed on your device.
  • Don’t allow sites to use fonts installed on your device.
  • Allow 1st-party (on-domain) fonts. Block 3rd-party (off-domain) fonts.

For more information regarding use of fonts for tracking, see uBlock Origin’s article at No remote fonts. While uBO’s option also allows all or blocks all fonts, it notes how a custom filter can be added to block 3rd-party/remote fonts. I added this filter to both uBO in Firefox, and in Brave’s shields custom filters which looks like:

! Block 3rd party remote fonts, allow 1st party remote fonts
*$font,third-party

However, a config option would be preferred, especially for users that do not want to learn the Adblock syntax to define custom filters. Should the user want to toggle between allowing or blocking remote fonts, having to edit a custom filter is clumsy, and non-intuitive. A config option would make easy the toggle. Since this is a permission, a Brave user could easily toggle the setting by clicking on the left-side address bar icon to switch on/off the setting. I’m not sure if this affects only the current site in the tab, and gets remembered, or if that affects the setting globally for all sites. I clicked on the Shields icon in the toolbar, but there was no entry for font permission to save as a site preference for the site in the active tab.

There are times when a site becomes difficult or impossible to use if remote fonts are blocked. An element uses a remote font to display an image hinting to the purpose of the element, like a button, but has no popup when hovering over the element to identify the intent of the element.

https://secure.fanboy.co.nz/fanboy-antifonts.txt

Keep in mind, it will break some sites.

Ad/content blocking deletes elements or resources in a web page without any mending, so any blocking can break a site. I visit web sites that use remote fonts. When I block them, placeholders are shown in place of the icons that were for the remote fonts.

Remote fonts are rarely to present an entire document in the remote font. They are used for iconic elements, like symbols on buttons. The buttons still function, but what they do may be unknown if unfamiliar with the web site. My pharmacy likes to use remote fonts to show arrows, and other iconic symbols on buttons. They don’t understand they are enabling their font foundry to track their users. Google’s fonts are part of their Analytics service, too.

Google is using fonts to track what users do online and sell data to advertisers.

Any tracking and ad/content you block will break the web page expecting access to those resources. Just how broken will be the web page depends on how dependent is the rest of the web page on those resources.

Since this would be a permission, users could except a site, so remote fonts are allowed now and later. Or, the user accepts the placeholders for the characters that cannot be displayed for blocked remote fonts. The elements, like buttons, will still work, but they may not be readily recognized for their intended use.

Your block list specifies filters by domain. Wouldn’t my global filter cover your per-domain filters by applying against all domains? There is one filter in your block list that looks to block a Javascript file used in GoogleAPIs as a web font loader.

Google Hosted Libraries
Github - typekit/webfontloader

My single custom filter does not address script sources that generate or point to font sources. I don’t know how prevalent is the use of their webfont loader versus a web page referencing Google’s remote fonts.

Some sites will cache Google’s fonts at their server, so those fonts become 1st-party (non-remote) fonts. Those would not get blocked by a “block 3rd-party/off-domain/remote fonts” option. If they track you, they don’t need fonts to do it. However, every site I’ve visited that uses Google fonts is pointing to them as a off-domain resource which then offers an opportunity for Google to track your IP address, which site you were at, and when you visited there.