Font fingerprinting – is what fonts you have, and how they are drawn. Based on measuring dimensions of the filled with text HTML elements, it is possible to build an identifier that can be used to track the same browser over time.
Font metric-based fingerprinting is tightly crossed with the canvas fingerprinting. It is probably weaker fingerprinting technique, since canvas gets not only bounding boxes but also pixel data. On the other hand font fingerprinting is much more difficult to defend.
Text rendering is a subtle and complex part of a web browser. Even in the Latin alphabet, layout is more than simply stacking boxes together: considerations such as ligatures, kerning, and combining characters come into play. Some other writing systems are even more complex, causing browsers to rely on OS-provided libraries for text layout. These libraries, including Pango on GNU/Linux, Graphics Device Interface (GDI) or DirectWrite on Windows, and Core Text on Mac OS X, are independent code bases and do not behave identically. Browsers additionally impose their own customizations atop the base text rendering
Here are a few types of the font fingerprinting:
- JS Fonts (unicode) – produced by measuring the bounding boxes of a certain Unicode code points, based on the above study.
- JS Fonts (classic) – uses CSS fallback mechanism to compare prepared font list against generic font families.
- Flash Fonts – is the most primitive, Flash has a method that simply returns an array of available system fonts. (not supported in modern browsers)
Kameleo takes care about it. Gets the fonts from the Base Profile and hides the extra ones installed on your computer. You can add Fonts in the configuration of Kameleo but it is not recommended.