- From: Glenn Adams <glenn@skynav.com>
- Date: Thu, 30 Jun 2011 15:23:59 -0600
- To: "Levantovsky, Vladimir" <Vladimir.Levantovsky@monotypeimaging.com>
- Cc: John Daggett <jdaggett@mozilla.com>, John Hudson <tiro@tiro.com>, "liam@w3.org" <liam@w3.org>, StyleBeyondthePunchedCard <www-style@w3.org>, "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>, "www-font@w3.org" <www-font@w3.org>, "Martin J." <duerst@it.aoyama.ac.jp>, Sylvain Galineau <sylvaing@microsoft.com>
- Message-ID: <BANLkTi=DTJzM-NhHhARq5C5BRw4+ssMjCQ@mail.gmail.com>
What are those EULA clauses about if not content protection? To quote wikipedia: *"*techniques used for preventing the reproduction of software, films, music, and other media, usually for copyright<http://en.wikipedia.org/wiki/Copyright> reasons." I am using CP in a general sense to include access (e.g., rendering, display) control, and not merely copy control. If you don't like my use, then I can use the somewhat more general term DRM. The two cited EULAs state: > which reasonably > restricts access to Web Font Software from use in any way by web pages > or any document not originating from your Web Site and > reasonable state-of-the-art measures, that other websites cannot > access the Font Software for display Control of access is merely a specific type of content protection or DRM. Retarding the last, please show me an attack based on font access that SOR prevents. On Thu, Jun 30, 2011 at 3:13 PM, Levantovsky, Vladimir < Vladimir.Levantovsky@monotypeimaging.com> wrote: > Glenn,**** > > ** ** > > Have you had any chance to do what you were planning to do last week? ( > http://lists.w3.org/Archives/Public/www-font/2011AprJun/0123.html)**** > > If you had, you should have realized that same origin restriction has ** > nothing** to do with content protection. You can always type a URL of any > font resource in your browser and download the file, no questions asked and > no strings attached. Rip a font, use it on your computer, serve it from your > own server – there are no technical measures that would prevent any of this > – how can this possibly be even considered a content protection? **** > > ** ** > > The only thing that SOR doesn’t let you do is to hot-link to a resource > that is hosted on someone else’s website – with same origin restriction in > place you would need to have the author of that website to allow you to link > their resources. As of right now (with no SOR in place – you can do it > easily leeching the bandwidth someone else is paying for, and opening up all > sorts of holes for an attack (which is what John Daggett and ROC pointed out > on many occasions.**** > > ** ** > > Regards,**** > > Vlad**** > > ** ** > > ** ** > > *From:* Glenn Adams [mailto:glenn@skynav.com] > *Sent:* Thursday, June 30, 2011 4:42 PM > *To:* John Daggett > *Cc:* John Hudson; Levantovsky, Vladimir; liam@w3.org; > StyleBeyondthePunchedCard; public-webfonts-wg@w3.org; www-font@w3.org; > Martin J.; Sylvain Galineau > > *Subject:* Re: css3-fonts: should not dictate usage policy with respect to > origin**** > > ** ** > > So, as I've previously said, this is only about content protection > mechanisms and their enforcement. There is no security risk on the part of > the end user (viewer of content rendered with web fonts) that is at stake > here.**** > > ** ** > > On Thu, Jun 30, 2011 at 2:09 PM, John Daggett <jdaggett@mozilla.com> > wrote:**** > > Glenn Adams wrote: > > > So, there is no end-user risk that is being addressed here other than > > the hypothetical case of violating an EULA? Is that really what all > > this noise is about?**** > > No Glenn, this is an information leakage issue, it allows for the > contents of a font, the glyph data, to be transmitted beyond the > boundaries specified by an *author* (for example, on an access-limited > site), not just beyond what is allowed by some form of licensing.**** > > > > Could you send me or point me at a EULA for which SOR on fonts is > > relevant?**** > > Ascender (Microsoft distributes their fonts via Ascender) > > From their Web Fonts EULA: > http://www.fontslive.com/info/web-fonts-eula.aspx > > > 11. “Web Site” as used herein shall be the web site identified by you > > in your account at ascenderfonts.com; (i) which utilizes the Ascender > > hosted Web Font Software in its web pages through the use of the > > Services, (ii) which does not in any way enable the permanent > > installation of the Web Font Software by End-Users on any workstation, > > computer and other electronic device, and (iii) which reasonably > > restricts access to Web Font Software from use in any way by web pages > > or any document not originating from your Web Site (For example; by > > using referrer checking to prevent hotlinking or deeplinking). > > FontFont > > From their Web Fonts EULA: > http://www.fontshop.com/licenses/fontfont/ > > > 2.3. Font Software File Protection. You must ensure, by applying > > reasonable state-of-the-art measures, that other websites cannot > > access the Font Software for display (e. g. by preventing hotlinking > > and blocking direct access to the Font Software via .htaccess or other > > web server configurations).**** > > ** ** >
Received on Thursday, 30 June 2011 21:24:47 UTC