RE: css3-fonts: should not dictate usage policy with respect to origin

Exploitable information leakage is a security and privacy concern. Licensing and content protection are not the concern.

From: Glenn Adams []
Sent: Thursday, June 30, 2011 1:46 PM
To: John Daggett
Cc: John Hudson; Vladimir Levantovsky;; StyleBeyondthePunchedCard;;; Martin J.; Sylvain Galineau
Subject: Re: css3-fonts: should not dictate usage policy with respect to origin

Or to rephrase, this has nothing to do with security at all, only with the enforcement of business terms.
On Thu, Jun 30, 2011 at 2:42 PM, Glenn Adams <<>> wrote:
So, as I've previously said, this is only about content protection mechanisms and their enforcement. There is no security risk on the part of the end user (viewer of content rendered with web fonts) that is at stake here.

On Thu, Jun 30, 2011 at 2:09 PM, John Daggett <<>> wrote:
Glenn Adams wrote:

> So, there is no end-user risk that is being addressed here other than
> the hypothetical case of violating an EULA? Is that really what all
> this noise is about?
No Glenn, this is an information leakage issue, it allows for the
contents of a font, the glyph data, to be transmitted beyond the
boundaries specified by an *author* (for example, on an access-limited
site), not just beyond what is allowed by some form of licensing.

> Could you send me or point me at a EULA for which SOR on fonts is
> relevant?
Ascender (Microsoft distributes their fonts via Ascender)

From their Web Fonts EULA:

> 11. “Web Site” as used herein shall be the web site identified by you
> in your account at<>; (i) which utilizes the Ascender
> hosted Web Font Software in its web pages through the use of the
> Services, (ii) which does not in any way enable the permanent
> installation of the Web Font Software by End-Users on any workstation,
> computer and other electronic device, and (iii) which reasonably
> restricts access to Web Font Software from use in any way by web pages
> or any document not originating from your Web Site (For example; by
> using referrer checking to prevent hotlinking or deeplinking).


From their Web Fonts EULA:

> 2.3. Font Software File Protection. You must ensure, by applying
> reasonable state-of-the-art measures, that other websites cannot
> access the Font Software for display (e. g. by preventing hotlinking
> and blocking direct access to the Font Software via .htaccess or other
> web server configurations).

Received on Thursday, 30 June 2011 20:56:37 UTC