TYPE DESIGN INFORMATION PAGE last updated on Thu Nov 23 13:42:56 EST 2023






WOFF: Opinion from Mozilla

October 2009. I was given permission by John Daggett and Jonathan Kew from Mozilla to post this piece on my web site---it was in response to something I wrote earlier, and clarifies the situation.

The tool for making woff2ttf is trivial, a novice Python/Perl programmer could write it in a couple hours. Most font designers involved in discussions on www-font realize this, they're more concerned about trivial piracy where someone simply copies a font on a webpage to their fonts folder. I've repeatedly said that the difference between that and an obfuscated format is trivial but that example *always* comes up in discussions. For us, WOFF is compressed so it does offer some advantages (nothing HTTP compression couldn't solve) and there is ability to decompress on a per-table basis so that a font is only decompressed under certain conditions.

Here's an interesting description of the state of things that a coworker wrote, I think it sums up things nicely:

After all the debate about font piracy (by other web sites and by
users), I'm surprised the font creators were happy with a format that
gives only creator *information* and minimal obfuscation. Did
something change?

Some font creators would still prefer stronger "DRM-like" protection of some kind, but I think most have accepted that this is not going to happen in an open-standards Web, and even that it's not technically feasible: if the fonts can be used at all on the user's computer, they can also be pirated (so it's not just that the free browser developers are being obstinate!).

For the most part, though, the vendors' position was that they wanted a distinct format that would differentiate "web fonts" from "desktop fonts", and make the act of taking a web font and installing it for local desktop use something that involves a deliberate act of conversion to circumvent this distinction. The common analogy was a "garden fence": it doesn't keep out a deliberate intruder, but it indicates the boundary of the property, so that a passer-by is aware that stepping over it may constitute an act of trespass.

The other key factor is the expectation (it's not part of the WOFF spec as such, but of how browsers are expected to implement it -- eventually part of a W3C recommendation around @font-face, most likely) that same-origin controls will be used to prevent cross-site linking, both for licensing and bandwidth concerns, except where a font-hosting site makes a deliberate choice to permit it (e.g., fontlibrary.org).

In general, the vendors seem to have accepted that browsers will not be agents of license enforcement for them. By supporting a distinct web-only format (i.e. WOFF files won't "just work" if you drag them from the browser's cache to your Fonts folder), and allowing them to attach metadata to the files, we're giving them a model where they feel the threat of rampant, often unconscious, piracy is reduced, and where they have some possibility of tracking abuse if they wish (e.g., a vendor could easily "watermark" the WOFF files they deliver to customers, and use a web crawler to look for copies being used by others). They realize that there's no ironclad protection, but we're giving them a compromise -- a level of risk -- they feel they can live with.

MyFonts search
Monotype search
Fontspring search
Google search

Web fonts ⦿

Luc Devroye ⦿ School of Computer Science ⦿ McGill University Montreal, Canada H3A 2K6 ⦿ lucdevroye@gmail.com ⦿ http://luc.devroye.org ⦿ http://luc.devroye.org/fonts.html