How to disable permission to read 'System Fonts' and 'Browser Plugin Details' in Chrome and Firefox

google-chrome privacy firefox

There are two questions but I am answering the font list question:

It is possible to disable Flash font enumeration using mms.cfg system wide configuration file. This file should be located in /etc/adobe/ directory if you are using Linux. Basically you just need to put the following line in the file:

DisableDeviceFontEnumeration = 1

See the Adobe Flash Player Administration Guide for more details.

With this setting Panopticlick and other sites can not get your font list via Flash.

Note that the font list is still available through Java if you have it installed. It is a good idea to get rid of Java anyway. If you use a couple of sites that require Java, use a different browser instance with a different user profile with Java enabled just for those sites.


The free Chrome extension RubberGlove blocks plugin and mime-type enumeration by cloaking the array entries in roughly the same way Firefox and Internet Explorer can/do natively.

You still need to set chrome to "Click to play" plugins and disable 3rd-party cookies in Chrome's privacy settings yourself. Also, as was mentioned in the study, you'll still probably show up as unique until enough people start using plugins like this.

Full disclosure: I'm the author.

This functionality may (or may not) be integrated into the Electronic Frontier Foundation's Privacy Badger extension in future. They seemed interested, anyway.


Font fingerprinting is just a small part of browser fingerprinting. Blocking it totally is almost impossible to do if the purpose is to leave the browser still functional. The best general fingerprint protection is said to be found in the Tor Browser.

In practical tests it was found that trying to block font fingerprinting actually increases the uniqueness of the computer fingerprint, since most users don't do that. The best way to avoid fingerprinting is to do nothing special and blend-in with thousands of other users.

First step against font fingerprinting is to have a test for the effectiveness of any defensive measure that you will take. A good tool here is https://browserleaks.com/fonts. A good tool for the uniqueness of the general fingerprinting is https://panopticlick.eff.org/ (my own browser came up as unique among the 199,984 tested in the past 45 days) or Am I Unique.

For protection in Chrome, measures you may take are:

  • Install instead a hardened Chromium build
  • Use an extension (I have not tested their effectiveness):
    • Font Glyph Fingerprint Privacy Whitelist
      Allows only the default list of fonts that came installed with Windows to be detected.
    • Font Fingerprint Defender
      It adds a small noise to the actual fingerprint and "renews" it every time you visit a website or reload a page.
    • Don't FingerPrint Me
      Adds a tab to Chrome's developer tools which shows browser fingerprinting attempts.

For protection in Firefox

Mozilla is currently working on the Tor Uplift project, whose goal is to build up in Firefox the same level of fingerprinting resistance as in the Tor Browser. This project is in progress and described in the article Security/Fingerprinting.

You could try the Firefox-hardening script in Github ghacks-user.js, although by all reports it may be too much and actually harm browsing.

As far as add-ons go, there is a list of useful add-ons and other advice maintained in the page firefox-tweaks.

For the moment, the measures I know of specifically for Font Fingerprinting are in about:config settings:

  • Right-click and select New > String, creating the new parameter font.system.whitelist, which will list the fonts that JavaScript will see. An example valid value is Helvetica, Courier, Verdana. The change takes effect immediately.
    In my case, this has reduced my own Font Fingerprinting from 266 fonts and 238 unique metrics found in a list of 512 fonts, to "only" 28 fonts and 9 unique metrics. (I have no idea how this would impact browsing.)

  • privacy.resistFingerprinting=true is a general switch to enable privacy measures from the Tor Uplift project as they are implemented. It enables a uniform font list to be distributed. Mozilla does not recommend enabling it since it will break some websites.

  • Disabling the options of "Allow websites to use their own fonts" and the CSS Font Loading API by changing these values:

    browser.display.use_document_fonts = 0
layout.css.font-loading-api.enabled = false
font.blacklist.underline_offset = (empty string)
gfx.downloadable_fonts.enabled = true
gfx.font_rendering.opentype_svg.enabled = false
gfx.font_rendering.graphite.enabled = false

    (This will most likely degrade browsing.)

Just to remark that I have seen methods discussed for sophisticated Font Fingerprinting and drawing that could even identify the display card and the graphical driver.

My opinion : It is impossible to avoid fingerprinting - fonts are not everything. Even if you:

  • Use a VPN
  • Do the browsing from a vanilla Windows virtual machine
  • Install no fonts or other software
  • Install the most widely-used browser - Chrome, with no extensions
  • Do browsing in Incognito mode that disables all cookies and extensions

then most likely these unique protection methods, together with hardware elements still detectable in the virtual machine, will still make for a unique or almost-unique fingerprint. Not to mention that this environment will be quite hard to use.

For discussions of some known fingerprinting methods, see the following articles:

  • Browser Fingerprinting – Explanation & Solutions (from 2019)
    Contains more information and hacks than I have listed above.

  • New Fingerprinting Techniques (from 2017)

  • Web Browser Security — BrowserLeaks.com


In Firefox 28:

Type about:config the location bar

Find plugins.enumerable_names

Set the entry to nothing.

Visit https://panopticlick.eff.org/ to verify plugins are no longer listed.


Javascript has ability to check what plugins are installed, this is generally used to give a "install missing plugin" message if needed. If you want, you could disable plugins in the settings, and disable Javascript using an addon like Javascript Blacklist for Chrome, or Quick Java statusbar for Firefox.

Related

What is the difference between Windows Subsystem for Linux (WSL), Cooperative Linux (coLinux), and Cygwin?
Outlook calendar - see who has accepted a meeting without being the meeting organizer
How do you mute the ding sound in Google Chrome when find on page returns no results?
Tool to annotate pictures (screenshots) for documentation purposes? [closed]
How to make Google Chrome search using google.com rather than google.com.hk? [closed]
How to overwrite existing zip file instead of updating it in Info-Zip?
How can I make mdadm auto-assemble RAID after each boot?
What is the 127.0.0.2 IP address for?
Speed of TrueCrypt whole disk encryption
SSH config - same host but different keys and usernames
Writing a service that depends on Xorg
Screensharing under wayland