Flash Player 26.0.0.131 device fonts


#1

Can anyone check if device fonts are no longer showing in FP 26.0.0.131 in release build swf on Firefox on Mac?

This code lists all device fonts on debug swf but on release swf it only shows embedded fonts:

protected function applicationCompleteHandler(event:Event):void {
	var showDeviceInfo:Boolean = true;

	var deviceFonts:Array = Font.enumerateFonts(showDeviceInfo);
	trace("Device:\n"+ deviceFonts.join("\n"));

	var embeddedFonts:Array = Font.enumerateFonts(!showDeviceInfo);
	trace("Embedded:\n"+ embeddedFonts.join("\n"));
}


#2

I don’t have time to test right now
but that’s the kind of thing that could (should?) be automated
eg. be able to run some “spike tests” and other snippets against different version/browser/… etc.


#3

Interesting… It appears the device fonts are not listed when in private browsing mode in Firefox or Safari (on Mac). They show up correctly when open in a normal browser window.

This might be a good thing? It means the Flash Player or the browser manufacturer is aware that you are in private browsing mode and limits identifying information. I just searched and there no ticket for this was found in the Flash Player ticket tracker. The issue has been raised in browser based forums (stack overflow). So the next logical question is does Flash Player get the font list from the browser or through it’s own API?


#4

Seems logic as the Flash Player always taped into the browser capabilities for many things like sockets, languages, event loop, etc.

I don’t see why it would be considered as an issue, it’s not a bug it’s the wanted behavior:
it is normal to not have access to all the “details” when the browser is in “private browsing”.

Look at Font Fingerprinting on browserleaks.com

Font fingerprinting – is what fonts you have, and how they are drawn. Based on measuring dimensions of the filled with text HTML elements, it is possible to build an identifier that can be used to track the same browser over time.

Font metric-based fingerprinting is tightly crossed with the canvas fingerprinting. It is probably weaker fingerprinting technique, since canvas gets not only bounding boxes but also pixel data. On the other hand font fingerprinting is much more difficult to defend.

So when your browser is in privacy mode I would say blocking the listing of fonts would be mandatory.