RE: css3-fonts: should not dictate usage policy with respect to origin


Have you had any chance to do what you were planning to do last week? (
If you had, you should have realized that same origin restriction has *nothing* to do with content protection. You can always type a URL of any font resource in your browser and download the file, no questions asked and no strings attached. Rip a font, use it on your computer, serve it from your own server – there are no technical measures that would prevent any of this – how can this possibly be even considered a content protection?

The only thing that SOR doesn’t let you do is to hot-link to a resource that is hosted on someone else’s website – with same origin restriction in place you would need to have the author of that website to allow you to link their resources. As of right now (with no SOR in place – you can do it easily leeching the bandwidth someone else is paying for, and opening up all sorts of holes for an attack (which is what John Daggett and ROC pointed out on many occasions.


From: Glenn Adams []
Sent: Thursday, June 30, 2011 4:42 PM
To: John Daggett
Cc: John Hudson; Levantovsky, Vladimir;; StyleBeyondthePunchedCard;;; Martin J.; Sylvain Galineau
Subject: Re: css3-fonts: should not dictate usage policy with respect to origin

So, as I've previously said, this is only about content protection mechanisms and their enforcement. There is no security risk on the part of the end user (viewer of content rendered with web fonts) that is at stake here.

On Thu, Jun 30, 2011 at 2:09 PM, John Daggett <<>> wrote:
Glenn Adams wrote:

> So, there is no end-user risk that is being addressed here other than
> the hypothetical case of violating an EULA? Is that really what all
> this noise is about?
No Glenn, this is an information leakage issue, it allows for the
contents of a font, the glyph data, to be transmitted beyond the
boundaries specified by an *author* (for example, on an access-limited
site), not just beyond what is allowed by some form of licensing.

> Could you send me or point me at a EULA for which SOR on fonts is
> relevant?
Ascender (Microsoft distributes their fonts via Ascender)

From their Web Fonts EULA:

> 11. “Web Site” as used herein shall be the web site identified by you
> in your account at<>; (i) which utilizes the Ascender
> hosted Web Font Software in its web pages through the use of the
> Services, (ii) which does not in any way enable the permanent
> installation of the Web Font Software by End-Users on any workstation,
> computer and other electronic device, and (iii) which reasonably
> restricts access to Web Font Software from use in any way by web pages
> or any document not originating from your Web Site (For example; by
> using referrer checking to prevent hotlinking or deeplinking).


From their Web Fonts EULA:

> 2.3. Font Software File Protection. You must ensure, by applying
> reasonable state-of-the-art measures, that other websites cannot
> access the Font Software for display (e. g. by preventing hotlinking
> and blocking direct access to the Font Software via .htaccess or other
> web server configurations).

Received on Thursday, 30 June 2011 21:13:39 UTC