It's also incredibly risky for advertising and marketing campaigns.
I had one client that started getting their product catalog scraped aggressively, and the invoice for their licensed font usage that month was an order of magnitude higher than they expected (low six figures, vs. low five figures).
They slapped the site behind an aggressively configured enterprise WAF[1] in response to that bill specifically. It made for an abrasive visitor experience, fundamentally broke server logging data (due to header mangling), and constantly broke third party integrations.
It was such a pain to service the client that I ended up convincing their network security team to let me pilot Cloudflare in front of the WAF (that they insisted remain). Ended up using a Worker function to tidy up after the janky WAF header mangling, got them to remove the explicit challenge page, and just swapped out the licensed font for a generic/free one for suspicious activity.
All because of that stupid pageview based font licensing model and its susceptibility to abuse.
>I had one client that started getting their product catalog scraped aggressively, and the invoice for their licensed font usage that month was an order of magnitude higher than they expected (low six figures, vs. low five figures).
so, my corporate dirty tricks campaign company could offer to make your competitors advertising costs go through the roof if I find they've been using the wrong fonts?!?
> Ended up using a Worker function to tidy up after the janky WAF header mangling, got them to remove the explicit challenge page, and just swapped out the licensed font for a generic/free one for suspicious activity.
So if companies experience expensive font download attacks I can send them a reasonably priced offer for consulting services to fix this problem!?!
In the case of the font foundry my client was licensing from,
‣ You were not allowed to self-host the font files, and had to load them directly from the hosting URL provided by the font foundry
‣ There was no explicit reporting involved. Every time the font resource was downloaded from their server, the foundry counted that as a licensed pageview.
‣ The foundry used cache control headers[1] on the response, so that every page load required contacting their origin server and could be logged for billing purposes.
‣ The foundry sent an invoice, telling you what your usage was. If your resource download/pageview count was within your contractual limit, you're invoiced your base rate. If your pageview count was above your contractual rate, you pay your base rate + whatever your overage cost was.
The WAF did a bunch of stuff, but the primary headache was that they enabled challenge pages[2] for every single visitor as a knee-jerk reaction, with a ridiculously low validity timeframe. So every user got hit with an interstitial Javascript challenge page on first pageload, and if they stuck around for just a bit they'd get hit with another one out of nowhere. And that "other one" could easily be on a background resource load rather than the primary page itself, which would just hang. And the way the interstitial page loaded the final content for traffic that "passed the test" obliterated referral information and made it impossible to make heads or tails of your traffic data.
The intent being that automated traffic wouldn't get past the WAF and would never load the actual destination page, and by extension the precious font files. But the way it operated had a lot of nasty side effects that caused a never-ending stream of technical problems, in addition to just being a terrible user experience.
...and all this pain, expense, complexity, and degraded UX, for the sake of _someone's preconceived ideas about the RELATIVE value to the brand of that particular font vs a generic font_. Yikes.
It's bullshit like this that cause people to get a local copy of the font, trace it, then release their new font as something with a different name and maybe a few minor changes that normal humans would never notice. Fonts are my least favorite thing, followed closely by printing.
I had one client that started getting their product catalog scraped aggressively, and the invoice for their licensed font usage that month was an order of magnitude higher than they expected (low six figures, vs. low five figures).
They slapped the site behind an aggressively configured enterprise WAF[1] in response to that bill specifically. It made for an abrasive visitor experience, fundamentally broke server logging data (due to header mangling), and constantly broke third party integrations.
It was such a pain to service the client that I ended up convincing their network security team to let me pilot Cloudflare in front of the WAF (that they insisted remain). Ended up using a Worker function to tidy up after the janky WAF header mangling, got them to remove the explicit challenge page, and just swapped out the licensed font for a generic/free one for suspicious activity.
All because of that stupid pageview based font licensing model and its susceptibility to abuse.
[1] https://en.wikipedia.org/wiki/Web_application_firewall