Re: Fonts WG Charter feedback from Tab Atkins Jr. on 2009-07-05 (www-font@w3.org from July to September 2009)

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Sun, 5 Jul 2009 18:46:43 -0500
To: John Hudson <tiro@tiro.com>
Cc: Håkon Wium Lie <howcome@opera.com>, Tal Leming <tal@typesupply.com>, Thomas Lord <lord@emf.net>, Aryeh Gregor <Simetrical+w3c@gmail.com>, Chris Wilson <Chris.Wilson@microsoft.com>, Sylvain Galineau <sylvaing@microsoft.com>, "www-font@w3.org" <www-font@w3.org>
Message-ID: <dd0fbad0907051646p687900f3qad5a3bcdeb2c0b4c@mail.gmail.com>

On Sun, Jul 5, 2009 at 12:46 PM, John Hudson<tiro@tiro.com> wrote:
> Tab Atkins Jr. wrote:
>
>> Well, no, they don't *need* to be, especially if such a thing would
>> require excessive effort on the part of authors.  I understand that
>> font vendors don't want to spend the (significant) effort to track
>> down copyright infringers, but that doesn't mean that others should be
>> forced to do the work instead.
>
> I think you misunderstand me. I only expect authors (by which I take it you
> mean web publishers) to police their own use of fonts, i.e. to abide by the
> license terms. I don't expect them to police use of fonts by others except
> in the case, as with my clients, that they are also the owners of those
> fonts. What I'm saying is that if font vendors are going to police use of
> their fonts, then that policing has to be practical. Hence...
>
>> [Single-origin linking] is a nice benefit for us authors, as fonts can
>> potentially be widely reused on a variety of sites (unlike image
>> hotlinking, which is relatively benign - many images that are used in
>> the construction of a site are of little use outside of that site),
>> and we'd like to be able to prevent hotlinking as easily as possible.
>> It's neutral for font vendors.
>
> No, not neutral. If licensing policing is going to be the method by which
> font vendors defend against illegitimate use of their fonts, then it helps
> immensely to prevent hotlinking. Font vendors want to be able to identify
> who is using their fonts and whether those uses are legitimate.
> Single-origin linking seems to me a very necessary benefit for commercial
> font vendors and owners.

I'm not seeing how that helps in any way, though.  Let's look at two
situations, one with same-origin restrictions and one without.

1. Alice creates a site and purchases a font to use on it.  Bob sees
the font, likes it, and wants to use it on his own site.  Same-origin
restrictions are in place, though, so he looks at the stylesheet to
find where the font is located on the server, downloads it to his own
server, and links to his copy in his stylesheet.

2. Alice creates a site and purchases a font to use on it.  Bob sees
the font, likes it, and wants to use it on his own site.  Since there
are no same-origin restriction, he looks at the stylesheet to find
where the font is located on the server, then links to Alice's server
in his stylesheet.

In both situations, Bob gets to use the font.  Same-origin
restrictions don't stop that in any way.  All they do is make
hotlinking ineffective, so Bob can't be a jerk and drain Alice's
bandwidth (well, he *can*, but he won't gain any benefit from it).  In
order to actually stop Bob from using the font, Alice has to check the
Referer or Origin header of each request on the server, neither of
which depend on same-origin restrictions.  That still doesn't offer
perfect protection, but it at least prevents Bob from just entering
the font's url into his browser to download it - he has to either
spoof his Referer/Origin or use other means to get the font, such as
diving into the browser's cache.

So, as far as I understand, same-origin restrictions are purely a
benefit for authors.  The only way it can benefit font foundries is
that with same-origin restrictions in place Bob has to do one
additional step (download the font file from Alice's server to his
own).  This extra step is trivial, but it may of course be part of the
'garden fence' concept that some foundries are okay with.

> Let me put it another way: if you want a format to which font vendors or
> custom font publishers will sign up, single-origin linking probably has to
> be a feature.

I've got no problem with that - I would also prefer that any format
use same-origin restrictions.  I'm just saying that it gives no direct
benefit to foundries.

> I look at the web font proposals in terms of 'Would I recommend this to my
> clients, who are both font owners and web publishers?' Single-origin linking
> is the best carrot I've seen so far.

That's great if such a benign aspect goes over so well with foundries.
 I fear, though, that perhaps you're saying "single-origin linking"
and they're hearing "single-origin *use*".  The font can still be
easily downloaded and used on other domains.

(Rootstrings, which are functionally identical to same-origin
restrictions, in this case add one further (still trivial) step to the
process.  After downloading the font, Bob has to pass it through WEFT
(or whatever future tool exists to handle the format in question) and
change the rootstring to his own domain.  This process still has to be
trivial and legal, as legitimate buyers of the font may need to move
the fonts between test and production domains.  So the rootstring adds
one more sign to the garden gate, at the expense of making it slightly
harder for legitimate buyers to use the font.)

Having said all this, though, perhaps I should shut up, as it's in my
best interests for such an uncontroversial aspect to make font
foundries extra-happy.  ^_^

~TJ

Received on Sunday, 5 July 2009 23:47:38 UTC