Protecting identity - blocking System Fonts info

[JJoe]

The filter is changing the code as expected.
Thing is, I'm not suprised to see the fonts displayed (again no js or flash expert here).

The complete unfiltered script is

Code:

<script type="text/javascript">
//<![CDATA[

        var fontsok = false;
        function fontList(aFonts) {
            var fontdetail = 0;
            if (typeof(aFonts) == "string") {
                var fonts = aFonts.split(",");
                $("#fontsnum").text(fonts.length);
                $("#fontslist").text("Please wait while list of font are bing generated...");
                if (fontdetail) {
                    var rows = getFontRows(fonts);
                    $("#fontslistrow").hide();
                    $("#fontsbody").append(rows);
                } else {
                    $("#fontslist").text("");
                    for (var i = 0; i < fonts.length; i++) {
                        $("#fontslist").append(fonts[i] + "<br/>");
                    }
                }
                fontsok = true;
            } else {
                $("#fontsnum").html("Flash doesn't seems to be installed or working! <a href=\"flash.php\">Check Flash
</a>.");
                $("#fontslist").html("Flash doesn't seems to be installed or working! <a href=\"flash.php\">Check Flash
</a>.");
            }
        };
        $("#flashcontent").flash(
            {
                "src": "flash/fonts.swf",
                "width": "1",
                "height": "1",
                "swliveconnect": "true",
                "id": "fontshelper",
                "name": "fontshelper"
            }
        );
        $(document).oneTime(4000, function() {
            if (!fontsok) {
                var fonts = false;
                var obj = document.getElementById("fontshelper");
                if (typeof(obj.GetVariable) != "undefined") {
                    fonts = obj.GetVariable("/:user_fonts");
                }
                fontList(fonts);
            }
        });
    //]]>
</script>

I think there are two mechanisms to gather the fonts. The second, activated by "if (!fontsok)", is removed by the filter.

Took some time to find a free decompiler but the BrowserSpy flash file decompiles to

Code:

//----------------------------------------------------------------------
//Frame 1
//----------------------------------------------------------------------
var user_fonts = textfield.getfontlist();
user_fonts.sort();
geturl (("javascript:fontList(\"" + escape(user_fonts)) + "\")", "_self");

I think the flash uses "geturl" to call the function "fontList" and pass the escaped contents of "user_fonts". The "geturl" method appears to fail or be blocked on my Win7 64bit machine when using IE8. I thought it might be IE8's "protected mode" but it wasn't.

Some web searching seems to indicate that "geturl" has not always 'worked' and is being deprecated.



The panopticlick swf decompiles to

Code:

//----------------------------------------------------------------------
//Frame 1
//----------------------------------------------------------------------
var user_fonts = textfield.getfontlist();
geturl (("javascript:fontList(\"" + escape(user_fonts)) + "\")", "_self");

They have "geturl" call for "fontList" but they don't seem to use or need it.
The "fontList" function is only found in the swf file for panopticlick.


too curious