Re: css3-fonts: should not dictate usage policy with respect to origin from Florian Rivoal on 2011-07-01 (www-style@w3.org from July 2011)

From: Florian Rivoal <florianr@opera.com>
Date: Fri, 01 Jul 2011 12:41:31 +0900
To: www-style@w3.org
Message-ID: <op.vxw8jhor4p7avi@localhost.localdomain>
On Fri, 01 Jul 2011 05:42:16 +0900, Glenn Adams <glenn@skynav.com> wrote:

> So, as I've previously said, this is only about content protection
> mechanisms and their enforcement. There is no security risk on the part  
> of
> the end user (viewer of content rendered with web fonts) that is at stake
> here.

DMR tries to prevent a person, who can get access to a certain resource,
 from using it in non approved ways. What we are discussing here is not  
that.
We are trying to prevent malicious web site authors from getting hold of
font data hosted on other web sites that they do not personally have access
to, through a visitor of their web site who that access.

Imagine the following situation:
- evil-hacker.com wants to know if its visitors are logged in into
   nice.company.com
- nice.company.com has a certain font that they use to make their UI
   pretty, and that they will only serve you if you have a cookie that
   proves you are logged in
- evil-hacker.com uses @font-face to load
   http://nice.company.com/nicefont.woff
- evil-hacker.com has a piece of script that checks (using tricks
   mentioned by Tab and Boris) whether or not the font was loaded
- an innocent user, who is logged into nice.company.com, visits
   evil-hacker.com

If we have either SOR or From-Origin turned on for that font,
evil-hacker.com will always fail to load that font, and they can't tell
whether you are logged in or not. If we don't they will be able to know.

Here is a different scenario:
- Someone who works on a font and who has not released it yet considers
   the font data to be private information
- That person hosts his font on and an intranet server that does not have
   a public ip
- A evil competitor learns about the existence of that font in
   development, and of the private url it is hosted at
- The evil competitor sets up traps on the various web sites (maybe
   through adds): load the font from the private url with @font-face, and
   extract the glyph data (using tricks mentioned by Tab and Boris)
- The font designer, using a computer inside his intranet, visits one of
   the trapped websites with a browser that supports @font-face
     => His secret font is leaked.

These are a privacy concerns, not a IPR issues.

    - Florian

Say a certain user is logged into gmail (just an example)

> On Thu, Jun 30, 2011 at 2:09 PM, John Daggett <jdaggett@mozilla.com>  
> wrote:
>
>> Glenn Adams wrote:
>>
>> > So, there is no end-user risk that is being addressed here other than
>> > the hypothetical case of violating an EULA? Is that really what all
>> > this noise is about?
>>
>> No Glenn, this is an information leakage issue, it allows for the
>> contents of a font, the glyph data, to be transmitted beyond the
>> boundaries specified by an *author* (for example, on an access-limited
>> site), not just beyond what is allowed by some form of licensing.
>>
>> > Could you send me or point me at a EULA for which SOR on fonts is
>> > relevant?
>>
>> Ascender (Microsoft distributes their fonts via Ascender)
>>
>> From their Web Fonts EULA:
>> http://www.fontslive.com/info/web-fonts-eula.aspx
>>
>> > 11. “Web Site” as used herein shall be the web site identified by you
>> > in your account at ascenderfonts.com; (i) which utilizes the Ascender
>> > hosted Web Font Software in its web pages through the use of the
>> > Services, (ii) which does not in any way enable the permanent
>> > installation of the Web Font Software by End-Users on any workstation,
>> > computer and other electronic device, and (iii) which reasonably
>> > restricts access to Web Font Software from use in any way by web pages
>> > or any document not originating from your Web Site (For example; by
>> > using referrer checking to prevent hotlinking or deeplinking).
>>
>> FontFont
>>
>> From their Web Fonts EULA:
>> http://www.fontshop.com/licenses/fontfont/
>>
>> > 2.3. Font Software File Protection. You must ensure, by applying
>> > reasonable state-of-the-art measures, that other websites cannot
>> > access the Font Software for display (e. g. by preventing hotlinking
>> > and blocking direct access to the Font Software via .htaccess or other
>> > web server configurations).
Received on Friday, 1 July 2011 03:42:08 UTC