Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to protect WebFonts [closed]

Tags:

fonts

webfonts

I have a client that wants to host his webfonts on his own server. I have a font.com account where the font was hosted until now. I went truth the fonts.com agreement (Point 18.) Where they say, that you can host files on your own server, but you have to protect them as good as possible.

The only way I can think of doing so, is by restricting the requests on those files with HTTP_REFERER in the .htaccess.

Can I do more to protect those fonts? Does it make any sense to make more and do you think that it is a sufficient protection?

I don't personally believe in technical copy protection, you can always copy what you can see somehow. But I don't want my client to get in to legal trouble. Do you have any experience with this?

edit

I'm interested in the legal aspect as well. What can happen, if someone can download the font and reuse it? Do they mean i have to protect the font only from hot-linking or from downloading as well?

like image 513
meo Avatar asked Jun 29 '11 15:06

meo


People also ask

How do you fix Fout?

The best way to deal with FOUT is to make the transition between the fallback font and web font smooth. To achieve that we need to: Choose a suitable fallback system font that matches the asynchronously loaded font as closely as possible. Adjust the font styles ( font-size , line-height , letter-spacing , etc.)

Do fonts block rendering?

Delayed text rendering: If a web font has not loaded, browsers typically delay text rendering. In many situations, this delays First Contentful Paint (FCP).


2 Answers

HTTP_REFERER and USER_AGENT can easily be spoofed. That being said, if you want to prevent hot linking, then HTTP_REFERER is a good start to restrict it to calls from your own application.

With Apache mode_security

SecFilterSelective "HTTP_REFERER" "^[^\?]*mydomain\.com"

Add the above to the directory with the fonts will reject all non-compliant requests from other sites.

For additional security, when someone uses your app, you give them a session on the server (in say PHP), and you store a uniqueId there.

<?PHP
// #header.php - in the head of the page that uses the font
// ...
if( !isset( $_SESSION['uniqueId'] ) ) {
    $_SESSION['uniqueId'] = rand( pow(2,16), pow(2,31) );
}
$uniqueId = $_SESSION['uniqueId'];

echo '<script type="text/javascript" src="http://foo.com/getFont.php?u='.$uniqueId.'"></script>';
?>

And this serves the font.

<?PHP
// #getFont.php - serve your fonts from here
// ...
if( !isset( $_GET['u'] ) || !isset( $_SESSION['uniqueId'] ) || $_SESSION['uniqueId']!=$_GET['u'] ) {
    die('Bad Request');
}

// cat out the file contents here for the request font file
?>

Then, you refer to a dynamic page for your font (say getFont.php?uniqueId=foo), and you only return the font file if the unqiueId matches their session, otherwise you assume it is a spoofed referer hot link. This is essentially the same as placing the file in an authenticated user only directory, but that would only work if the users had logged in, while the above method simply requires the user to load the page before they load the font, to prevent hot links.

like image 87
Joseph Lust Avatar answered Sep 20 '22 23:09

Joseph Lust


See https://bugzilla.mozilla.org/show_bug.cgi?id=540859

Apparently approved by FontShop (last comment) and suggested by MyFonts (http://twitter.com/#!/MyFonts/status/98767132321521664).

EDIT: I guess it's the solution mentioned in comment 26:

RewriteCond "%{HTTP_HOST}_%{HTTP_REFERER}" "!\.?([^\.]+\.[^\.]+?)_https?://.*\1/.*$"
RewriteRule \.(woff|eot)$ - [F,NC,L]
like image 27
backflip Avatar answered Sep 22 '22 23:09

backflip