WordPress.org

Forums

Privacy: web fonts in particular (9 posts)

  1. gessel
    Member
    Posted 9 months ago #

    WordPress core makes calls to gravitar, fonts.googleapis.com (open sans), w.org when a page loads.

    It would be a nice, privacy enhancing feature to offer a toggle in the admin UI that would eliminate all third party calls. When a visitor comes to a page, all data is loaded from the server serving and no logs are generated on nominally invisible third party sites.

  2. gessel
    Member
    Posted 9 months ago #

    Line 580: // Hotlink Open Sans, for now

    It would be cool if there was an option for locally serving fonts, say by incorporating this script:
    https://github.com/DaAwesomeP/php-offline-fonts/

    This would achieve all of the compatibility of Google's user agent checks but wouldn't leak user data to Google.

    It doesn't solve the problem of closed LAN operation, but perhaps this could be solved with local download and code like this:
    @font-face {
    font-family: 'MyWebFont';
    src: url('webfont.eot'); /* IE9 Compat Modes */
    src: url('webfont.eot?#iefix') format('embedded-opentype'), /* IE6-IE8 */
    url('webfont.woff') format('woff'), /* Modern Browsers */
    url('webfont.ttf') format('truetype'), /* Safari, Android, iOS */
    url('webfont.svg#svgFontName') format('svg'); /* Legacy iOS */
    }

    (from http://css-tricks.com/snippets/css/using-font-face/)

    The goals being:

    1) Eliminate privacy compromising calls to third parties,
    2) Transparent operation on a closed LAN.

  3. Andrew
    Nuh uh moderator
    Posted 9 months ago #

    When a visitor comes to a page, all data is loaded from the server serving and no logs are generated on nominally invisible third party sites.

    It's up to theme and maybe plugin authors to decide how they handle fonts.

  4. gessel
    Member
    Posted 9 months ago #

    Unless the visitor hits the login page, and then WordPress generates these font calls

    #	Result	Protocol	Host	URL	Body	Caching	Content-Type	Process	Comments	Custom
    19	200	HTTP	fonts.googleapis.com	/css?family=Open+Sans%3A300italic%2C400italic%2C600italic%2C300%2C400%2C600&subset=latin%2Clatin-ext&ver=3.9.1	1,672	private, max-age=86400; Expires: Sun, 20 Jul 2014 14:44:07 GMT	text/css	iexplore:9684

    and then these

    #	Result	Protocol	Host	URL	Body	Caching	Content-Type	Process	Comments	Custom
    25	200	HTTP	themes.googleusercontent.com	/static/fonts/opensans/v8/DXI1ORHCpsQm3Vp6mXoaTRa1RVmPjeKy21_GQJaLlJI.woff	38,344	public, max-age=31536000; Expires: Thu, 16 Jul 2015 05:18:34 GMT	font/woff	iexplore:9684
    26	200	HTTP	themes.googleusercontent.com	/static/fonts/opensans/v8/MTP_ySUJH_bn48VBG8sNSha1RVmPjeKy21_GQJaLlJI.woff	38,484	public, max-age=31536000; Expires: Thu, 16 Jul 2015 05:18:34 GMT	font/woff	iexplore:9684
    27	200	HTTP	themes.googleusercontent.com	/static/fonts/opensans/v8/PRmiXeptR36kaC0GEAetxrsuoFAk0leveMLeqYtnfAY.woff	36,816	public, max-age=31536000; Expires: Wed, 15 Jul 2015 13:49:19 GMT	font/woff	iexplore:9684
    28	200	HTTP	themes.googleusercontent.com	/static/fonts/opensans/v8/PRmiXeptR36kaC0GEAetxmWeb5PoA5ztb49yLyUzH1A.woff	36,832	public, max-age=31536000; Expires: Fri, 17 Jul 2015 18:55:32 GMT	font/woff	iexplore:9684

    Or if the user is logged in, then the header bar generates the following requests:

    #	Result	Protocol	Host	URL	Body	Caching	Content-Type	Process	Comments	Custom
    73	200	HTTP	fonts.googleapis.com	/css?family=Open+Sans%3A300italic%2C400italic%2C600italic%2C300%2C400%2C600&subset=latin%2Clatin-ext&ver=3.9.1	1,672	private, max-age=86400; Expires: Sun, 20 Jul 2014 14:45:46 GMT	text/css	iexplore:9684

    And the loads these:

    #	Result	Protocol	Host	URL	Body	Caching	Content-Type	Process	Comments	Custom
    89	200	HTTP	themes.googleusercontent.com	/static/fonts/opensans/v8/PRmiXeptR36kaC0GEAetxrsuoFAk0leveMLeqYtnfAY.woff	36,816	public, max-age=31536000; Expires: Wed, 15 Jul 2015 13:49:19 GMT	font/woff	iexplore:9684
    90	200	HTTP	themes.googleusercontent.com	/static/fonts/opensans/v8/DXI1ORHCpsQm3Vp6mXoaTRa1RVmPjeKy21_GQJaLlJI.woff	38,344	public, max-age=31536000; Expires: Thu, 16 Jul 2015 05:18:34 GMT	font/woff	iexplore:9684
    91	200	HTTP	themes.googleusercontent.com	/static/fonts/opensans/v8/MTP_ySUJH_bn48VBG8sNSha1RVmPjeKy21_GQJaLlJI.woff	38,484	public, max-age=31536000; Expires: Thu, 16 Jul 2015 05:18:34 GMT	font/woff	iexplore:9684
    92	200	HTTP	themes.googleusercontent.com	/static/fonts/opensans/v8/PRmiXeptR36kaC0GEAetxmWeb5PoA5ztb49yLyUzH1A.woff	36,832	public, max-age=31536000; Expires: Fri, 17 Jul 2015 18:55:32 GMT	font/woff	iexplore:9684

    Meaning that by visiting a wordpress site (and either logging in or attempting to), a user inadvertently and (typically) unknowingly generates logs on google's servers that create a record of the visit: IP, time, date, and browser and the referrer ID so that Google has and can (and must) provide on request to any law enforcement agency, and can (and probably does) sell to any advertiser records of every logged in visit or login attempt to any wordpress site.

    Obviously Google is selling the font service in exchange for this information. While that might be a fair transaction for some, it seems inappropriate to sell user's data for convenience without their consent or knowledge. And seriously, is this transgression of user privacy warranted to render these informational pages in something other than the system font?

  5. Obviously Google is selling the font service in exchange for this information.

    Not exactly but I am 100% certain that they model all data available to them. ;)

    WordPress core makes calls to gravitar, fonts.googleapis.com (open sans), w.org when a page loads.

    I don't disagree with you but if you can point to specific file examples in WordPress code then this can most likely remediated for your installation.

    The reason I mention this is that some users run WordPress in a closed network environment where access to those font files is not available.

    Either those fonts are from your theme or the core files (I haven't looked) can be overwritten via a filter or action.

  6. gessel
    Member
    Posted 9 months ago #

    Not exactly but I am 100% certain that they model all data available to them. ;)

    :-) Totally agreed - but we can't ever be certain of what information they do make available or to whom and it seems consistent with company policy to Keep All The Datas.

    In the current release, Google's servers are summoned from two lines:

    ./wp-includes/script-loader.php:602:            $open_sans_font_url = "//fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,300,400,600&subset=$subsets";
    ./wp-includes/js/tinymce/plugins/compat3x/css/dialog.css:1:@import url(//fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,300,400,600&subset=latin-ext,latin);

    The comment above the line in script-loader.php reads...

    // Hotlink Open Sans, for now

    ...implying that the hotlinking call is intended to be a temporary shortcut, perhaps one that can be cleaned up.

    In dialog.css, the call is more typical (it seems atypical to define a font in a .php file rather than a .css file, no?).

    @import url(//fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,300,400,600&subset=latin-ext,latin);
    
    /* Generic */
    body {
    font-family: "Open Sans", sans-serif;
    font-size:13px;
    background:#fcfcfc;
    padding:0;
    margin:8px 8px 0 8px;
    }

    This can easily be cleaned up as:

    /* @import url(//fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,300,400,600&subset=latin-ext,latin); */
    
    /* Generic */
    body {
    /* font-family: "Open Sans", sans-serif; */
    font: "Trebuchet MS",Trebuchet,Verdana,Sans-Serif;
    font-size:13px;
    background:#fcfcfc;
    padding:0;
    margin:8px 8px 0 8px;
    }

    The TinyMCE font definition is easier to deal with as it is thenceforth known as "body" not "Open Sans." TinyMCE looks just fine testing this fix and from now on I won't generate Google logs every time I edit a post. Please note I am not claiming aesthetic equivalence for the substitution. If Open Sans is the One True and Right font for this application, then serve it locally (Open Sans off FontSquirrel is Apache Licensed). I personally appreciate Source Sans' differentiation between 1,l and I; Open Sans renders I and l pretty much undifferentiably. Let's not tar all things Adobe just because The Steve didn't like the Flash.

    The way Open Sans is used in core wordpress code is slightly less... elegant? It is referenced in 71 places (including 6 references in twentytwelve) including:

    ./wp-admin/css/dashboard-rtl.css:997:/* Make the browser nags easier to read with Open Sans */

    And while I agree it is a fine font, aesthetics and convenience should not trump privacy. Further, while it is one thing to be involuntarily harvested and sold to marketers and data aggregators so a programmer can enjoy the tasty bit of cheese with which the trap was baited, people do use wordpress as a platform to disseminate information and news around repressive regimes, occasionally regimes where Google maintains a locus of business and must therefore comply with national law, laws which may mirror or exceed CALEA and NSLs. As the data aggregated includes the visitor's IP and the referrer URL, even if the site itself is hosted on protected servers underground in Sweden and run by trusted dissidents with as much to lose as the visitors, a programmatic shortcut to a cosmetic conceit creates a backdoor that could, literally, cost lives.

  7. ClaytonJames
    Member
    Posted 9 months ago #

    While I have never used or even examined it myself, I have seen this referenced in past conversations as a possible option; http://wordpress.org/plugins/disable-google-fonts/

  8. Gravatar can be disabled from Settings -> Discussion. Uncheck Avatar Display.

    w.org calls are what pings back to WordPress and tells you that you need upgrades.

  9. gessel
    Member
    Posted 9 months ago #

    Ipstenu, thanks - Lightbeam failed me on Gravatar. I turned off Gravatars in the UI and saw the connection still shown in Lightbeam. Testing later, I found it was polling for the favicon that Lightbeam itself was using to display the connection. Oops.

    The updates to w.org would be non-threatening to visitors, though consistent with respecting the privacy of WordPress installers, it should be possible (though obviously a security risk) to disable any callbacks through the UI.

    That leaves only the one font call, which, ultimately, is a trivial fix and can hopefully be implemented promptly.

    I'd suggest that a privacy disclosure be required for the core and all plugins. I'd suggest that a simple administration page enumerate any calls to third parties by the core and any plugins that call third parties (either at all or by third party) and have provisions for disabling them in that view. This would give administrators easy access to the information necessary to protect their own and their visitors privacy and developers some incentive to respect privacy where possible.

Reply

You must log in to post.

About this Topic

Tags

No tags yet.