16

I have a client that wants to host his webfonts on his own server. I have a font.com account where the font was hosted until now. I went truth the fonts.com agreement (Point 18.) Where they say, that you can host files on your own server, but you have to protect them as good as possible.

The only way I can think of doing so, is by restricting the requests on those files with HTTP_REFERER in the .htaccess.

Can I do more to protect those fonts? Does it make any sense to make more and do you think that it is a sufficient protection?

I don't personally believe in technical copy protection, you can always copy what you can see somehow. But I don't want my client to get in to legal trouble. Do you have any experience with this?

edit

I'm interested in the legal aspect as well. What can happen, if someone can download the font and reuse it? Do they mean i have to protect the font only from hot-linking or from downloading as well?

durron597
  • 31,968
  • 17
  • 99
  • 158
meo
  • 30,872
  • 17
  • 87
  • 123
  • 4
    I'm voting to close this question as off-topic because it is about legal advice, not programming advice. – durron597 May 28 '15 at 02:19
  • @durron597 4 years after its creation, whatever :D The legal aspect is only the bonus question. In reality its about the technical side. What can I do to make this more clear? – meo Nov 19 '15 at 11:11

5 Answers5

16

HTTP_REFERER and USER_AGENT can easily be spoofed. That being said, if you want to prevent hot linking, then HTTP_REFERER is a good start to restrict it to calls from your own application.

With Apache mode_security

SecFilterSelective "HTTP_REFERER" "^[^\?]*mydomain\.com"

Add the above to the directory with the fonts will reject all non-compliant requests from other sites.

For additional security, when someone uses your app, you give them a session on the server (in say PHP), and you store a uniqueId there.

<?PHP
// #header.php - in the head of the page that uses the font
// ...
if( !isset( $_SESSION['uniqueId'] ) ) {
    $_SESSION['uniqueId'] = rand( pow(2,16), pow(2,31) );
}
$uniqueId = $_SESSION['uniqueId'];

echo '<script type="text/javascript" src="http://foo.com/getFont.php?u='.$uniqueId.'"></script>';
?>

And this serves the font.

<?PHP
// #getFont.php - serve your fonts from here
// ...
if( !isset( $_GET['u'] ) || !isset( $_SESSION['uniqueId'] ) || $_SESSION['uniqueId']!=$_GET['u'] ) {
    die('Bad Request');
}

// cat out the file contents here for the request font file
?>

Then, you refer to a dynamic page for your font (say getFont.php?uniqueId=foo), and you only return the font file if the unqiueId matches their session, otherwise you assume it is a spoofed referer hot link. This is essentially the same as placing the file in an authenticated user only directory, but that would only work if the users had logged in, while the above method simply requires the user to load the page before they load the font, to prevent hot links.

Joseph Lust
  • 19,340
  • 7
  • 85
  • 83
  • this is not answering my question. I want to know what can be done. – meo Jun 29 '11 at 15:58
  • You asked if this approach makes sense, I agreed. Using a module like *mod_security* and applying a filter like 'SecFilterSelective "HTTP_REFERER" "^[^\?]*mydomain\.com"' to the directory with the fonts will reject all non-compliant requests from other sites. – Joseph Lust Jun 29 '11 at 16:20
  • yeah but you talk about a good start, so whats next? :) – meo Jun 29 '11 at 16:26
  • When someone uses your app, you give them a session on the server (in say PHP), and you store a uniqueId there. Then, you refer to a dynamic page for your font (say getFont.php?uniqueId=foo), and you only return the font file if the unqiueId matches their session, otherwise you assume it is a spoofed referer hot link. This is essentially the same as placing the file in an authenticated user only directory, but that would only work if the users had logged in, while the above method simply requires the user to load the page before they load the font, to prevent hot links. – Joseph Lust Jun 29 '11 at 17:10
  • ah nice, if you put this in your answer you get a +1 at least. – meo Jun 29 '11 at 17:23
7

See https://bugzilla.mozilla.org/show_bug.cgi?id=540859

Apparently approved by FontShop (last comment) and suggested by MyFonts (http://twitter.com/#!/MyFonts/status/98767132321521664).

EDIT: I guess it's the solution mentioned in comment 26:

RewriteCond "%{HTTP_HOST}_%{HTTP_REFERER}" "!\.?([^\.]+\.[^\.]+?)_https?://.*\1/.*$"
RewriteRule \.(woff|eot)$ - [F,NC,L]
backflip
  • 904
  • 6
  • 9
  • its kinda hard to find what is the right post. If you can add the quote that is relevant to your answer ,you get at least my +1 and maybe the right answer. – meo Aug 03 '11 at 16:36
6

You will find some interesting methods in the article by typekit : "Serving and Protecting Fonts on the Web"

They use methods like HTTP Referrer checking, base64 encoding, segmenting. However none of these provide complete protection and one has concur with this statement from the article:

The fact is, for something to appear in a browser, it has to be on the web. If it’s on the web, it can’t be completely protected....We’ve put up a few hurdles of our own. Our intent is only to discourage casual misuse and to make it clear that taking fonts from Typekit is an explicit and intentional act.

The second thing to bear is that the licensee can always disregard the agreement, and that is why companies like Adobe which produces one the most excellent fonts states the usage terms including for the web in Font licensing page.

See also the Font Licensing Issues discussed in the W3 CSS3 webfonts spec.

JJJ
  • 32,902
  • 20
  • 89
  • 102
vine'th
  • 4,890
  • 2
  • 27
  • 27
2

Not an expert on Apache, but we used this, and it seems to work well enough:

Options -Indexes
IndexIgnore *.woff *.eot
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yoursite\.com/.* [NC]
RewriteCond %{REQUEST_URI} !hotlink\.(woff|eot) [NC]
RewriteRule .*\.(woff|eot)$ http://yoursite.com/ [NC,F,L]

Direct download leads to a 403, but the files can still be accessed via your own site's CSS.

AndreiG
  • 49
  • 3
0

It's a mixed goal - protect the file from copying while giving everyone a copy of the file. Twisted Pear's answer is probably the best in terms of finding middle ground.

If you want to protect the file then render text into images on the server.

Legally you can invoke DMCA against sites which host your font file.

Tak
  • 11,428
  • 5
  • 29
  • 48
  • the only thing i want, is to respect the font.com agreement, without using images... what would be the interest to use web-fonts then... – meo Jul 03 '11 at 15:33