If you only read the paranoia asserting that Google "tracks users" through Google Fonts, then you'd incorrectly think that there's a cookie, a credential, or an API key sent from the browser, which there isn't. There's a whole FAQ about this, but why bother reading?

@n8 Just yet another source of mass data for the data gobbler. Nothing implied beyond that.
A lot of people are placing one company at the backbone of the web, as CDN, as DNS resolver, as search provider and as broker of funding. This gives them unique insight into web traffic, creates a single organizational point of failure, and is a concern for the open web.

@n8 @clacke the faq to which you linked even admits it crossreferences datasets with its other services in the interest of analytics. cookies aren't needed when a party can construct identities from your ip address, useragent, referer, and other metadata alone. and google has a large enough dataset to do this with relative success

this alone isn't malice but it indicates how much useless metadata browsers send, even on the most innocuous of requests

@wowaname @clacke That's a bug to report to the browser maker. And true of every web server.

@n8 @clacke
>true of every web server

and i never suggested otherwise. google's just the topic of this thread

>bug to report to the browser maker

while i agree it's a bug, it isn't specific to browsers; it requires effort on behalf of both server administrators and web UAs to change these de-facto standards. note that tor browser is trying to take up the task of lowering browser fingerprints, so they'll probably be the main source of this type of innovation

@n8 do note that i believe google providing most of the web's fonts is a harmful gesture against the open web; as @clacke stated, it introduces a single point of failure to the web, along with AMP, reCAPTCHA, and non-google services such as cloudflare

@wowaname @clacke If Google Fonts is providing most of the web's fonts, that's inaction on the part of all the other people who COULD BE providing open-source webfonts themselves, but choose not to. It is not a "gesture" on the part of Google Fonts.

@n8 @clacke it's foolish to assume though, that google doesnt know its standing in the web ecosystem

in any case i dislike webfonts as a concept. theres a reason i chose a specific system font: it's easier for me to read than all these other ones. unfortunately font icons became a webdev meme at some point so im stuck with keeping webfonts enabled until frontend developers go back to something sane like svg

@n8 Google Chrome sends a unique ID per browser install in a header called X-Client-Data to Google's own websites. Combine this with a referer header and they can track a specific browser across all sites using Google Fonts.

Combine it with people signed into Google accounts and they know a specific user's movements across the Internet, even if they have cookies and JavaScript turned off.

(FWIW: Google Analytics, their CDN, and even DNS services track people too.)

@n8 Even without the unique ID chrome sends, Google could still associate browsing history with IP addresses, of course. It's not as reliable as IP addresses change and multiple people use the same public IP address behind a NAT, but it's still good probably enough for inference, especially with other forms of browser fingerprinting.

(The web is an insecure mess. And it's not just Google tracking everyone, of course…)

@n8 I do love that Google Fonts exists and that Google funds development of open source fonts.

However, MOST websites don't need a CDN, especially for smallish fonts that don't change so frequently.

Usually, often-changing JavaScript blobs far outweigh fonts these days, especially now that we can simply just use WOFF2.

@garrett Yeah, the main CDN-ness of Google Fonts lies in the fact that the font files themselves are cached locally for reuse. It'd be interesting so explore some way to do the same regardless of the origin of the file, but I suspect people would complain about privacy issues there even if it was doable technically.

And I suppose most of the complainers re Google Fonts do not grasp that the alternative is other services like Adobe Typekit and the like.

@n8 @garrett It's not like it would be hard technically, a resource name and type or hash should be more than enough to cache a resource no matter the origin. It's just that no browser implemented something like that.

@murks @n8 It would be nice to have something like Decentraleyes:

Ship the most common fonts, strip headers the first time downloading others. Always intercept and serve a local copy instead.

@garrett @murks What's to prevent site B from "fingerprinting" a browser by requesting every font-hash it knows about, though? This is already a problem just with font *names*; it's likely even more exploitable when you ask the browser to compute on objects in the cache. Besides, you've still got to solve the problem of partially-downloaded fonts. This is a huge concern (literally) in CJK. There are no easy answers.

@emanuele @erAck @xrevan86 @mplammers @dublinux @EvanHahn @shaen

Heated and partially illuminating discussion about Google Fonts based on… sprouted over here.

Keep it nice, assume good faith. We all want the web to be better, the question is what to do about it.

@garrett @murks @n8

Web sites could host the fonts instead of lazy embedding them from, problem solved.
@dublinux @emanuele @EvanHahn @garrett @shaen @murks @mplammers @n8

@erAck @clacke @dublinux @emanuele @EvanHahn @garrett @shaen @mplammers @n8

Ideally the browser would load a font (or any other asset really) once from wherever and cache it, then recognize the same resource again on the same or other websites and use the cached version.

As far as I know, and I admittedly haven't done research on it, this is not currently the case. I think currently browsers cache resources based on the URL, so download origin matters.

@murks @dublinux @emanuele @erAck @EvanHahn @garrett @shaen @mplammers @n8 People have started adding checksums to their references. I don't know what the browser does with that, but it could use it for cross-origin caching.

I certainly do not want to cache the internet's font collection locally in my browser.
@clacke @dublinux @emanuele @EvanHahn @garrett @shaen @mplammers @n8

I don't need that bloat, I have fonts installed. Maybe give me the few symbols I don't have the designer thought were cool to use instead of proper icons.
@dublinux @emanuele @EvanHahn @garrett @shaen @murks @mplammers @n8

@clacke @dublinux @emanuele @erAck @EvanHahn @garrett @shaen @murks I'm not seeing a way in my UI to mute this thread, so please just take me out of it. Feel free to continue at your own leisure, however!

For masto and pleroma users it's easy to just not @ you. It's harder on Friendica side, so maybe I'll just reply to any replies over at the original.

@garrett I concur that the web has lots of problems! Would be nice if people who care about that from a FOSS perspective actually did something about those issues instead of (e.g.) reinventing IRC again every few years.

@garrett Yet, here too, what you are reffering to is definitely an issue in Chrome, rather than an issue in Google Fonts. [Which is what the screenshot I posted was implying.] *I* don't use Chrome. Why would you, if you want anonymity? "Chrome does bad things" is orthogonal to the morality-yardsticking of Google Fonts.

Sign in to participate in the conversation

The original server operated by the Mastodon gGmbH non-profit