W3C home > Mailing lists > Public > www-style@w3.org > November 2008

Re: CSS3 @font-face / EOT Fonts

From: Brad Kemper <brkemper.comcast@gmail.com>
Date: Wed, 12 Nov 2008 09:00:34 -0800
Cc: www-style@w3.org
Message-Id: <1A3B573A-F9A7-47AF-89D0-D33E6252C4AB@gmail.com>
To: post@opentype.info

On Nov 9, 2008, at 10:19 PM, Ralf Herrmann wrote:

> bare font
> > files with same-origin restrictions, so it is unclear if font  
> vendors oppose
> > it.
> If they don't like linking fonts without built-in URL-binding, they  
> won't like linking fonts without URL-binding but a same-origin  
> restriction, because it offers no additional security for the font  
> vendor. It is just a default hotlinking protection.
> If someone would want to use the font without a license, he would  
> just need to visit a site that uses the font, fetch it from the  
> cache and upload it to a new website. Or they could install the font  
> locally to do print designs with it.

Yes, or if it was obfuscated they could download a program to  
obfuscate it. Or if it had a root string they could strip that string  
out of it. Either way, it would not be all that difficult to extract a  
workable font.

You must be joining the conversation late. The goal at this point  
seems to be to make stealing the font a more deliberate action, not  
something that could happen accidentally or casually.

Also, IIRC, there are ways to cache the font in RAM, so that it would  
not be easily available via a cache folder. A person could still get  
it from disk swap files, presumably, but it would not be something the  
average consumer would know how to do.

> And these are the problems the font foundries fear.
> Nethertheless, I think the combination of a same-origin rule and  
> Access Control Headers makes a lot of sense and I hope other browser  
> will adapt it.
> Ralf
Received on Wednesday, 12 November 2008 17:01:14 UTC

This archive was generated by hypermail 2.3.1 : Monday, 2 May 2016 14:27:41 UTC