Font foundries, like Google’s, can track to which sites you visit when those sites deliver fonts from the factory instead of using their own. The site points the user at the font foundry to get the 3rd-party fonts which means the font foundry knows where you visited, and when.
I want to allow 1st-party fonts while blocking 3rd-party (off-domain) fonts. In Brave’s shields, font blocking is either all on or all off. Please add an option to font permissions: “Allow 1st-party fonts (block 3rd-party fonts”.
Not all fonts are evil (used for tracking). Since the user already opted to visit a web site, 1st-party fonts will not provide any more tracking than the site can already do otherwise. Sites use 3rd-party fonts either at font foundries or at CDNs (Content Delivery Networks) to offload some of the bandwidth on their web site to the off-domain service. They also don’t have to maintain their own fonts. They are not concerned how 3rd-party fonts can track their visitors.
Under permissions for fonts, the added option would look like:
- Sites can ask to use fonts installed on your device.
- Don’t allow sites to use fonts installed on your device.
- Allow 1st-party (on-domain) fonts. Block 3rd-party (off-domain) fonts.
For more information regarding use of fonts for tracking, see uBlock Origin’s article at No remote fonts. While uBO’s option also allows all or blocks all fonts, it notes how a custom filter can be added to block 3rd-party/remote fonts. I added this filter to both uBO in Firefox, and in Brave’s shields custom filters which looks like:
! Block 3rd party remote fonts, allow 1st party remote fonts
*$font,third-party
However, a config option would be preferred, especially for users that do not want to learn the Adblock syntax to define custom filters. Should the user want to toggle between allowing or blocking remote fonts, having to edit a custom filter is clumsy, and non-intuitive. A config option would make easy the toggle. Since this is a permission, a Brave user could easily toggle the setting by clicking on the left-side address bar icon to switch on/off the setting. I’m not sure if this affects only the current site in the tab, and gets remembered, or if that affects the setting globally for all sites. I clicked on the Shields icon in the toolbar, but there was no entry for font permission to save as a site preference for the site in the active tab.
There are times when a site becomes difficult or impossible to use if remote fonts are blocked. An element uses a remote font to display an image hinting to the purpose of the element, like a button, but has no popup when hovering over the element to identify the intent of the element.