Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest sNews - sNews 1.7 - with its own forums - for discussion and user mods.

Author Topic: Prevent files download by .htaccess  (Read 3454 times)

Sven

  • ULTIMATE member
  • ******
  • Karma: 88
  • Posts: 2029
  • Chasing MY bugs!
    • hiseo.fr - rédacteur Web
Prevent files download by .htaccess
« on: January 09, 2010, 11:08:15 AM »

Hi snoozers, hi Dudes
are you shivering with cold?
Here in Western Europe we seem to be in the Arctic.

I got a question regarding security.
With the @font-face CSS feature you know you can embed typefaces in your HTML pages.
When it's a free face well no problem but imagine you're using the splendid Linotype Helvetica ($90) you want to protect it from being donwloaded, don't you?

So I'm searching the best way to protect those files (in 2 flavors: .eot for IE and TTFfor the other browsers) since the path of the directory can be seen thru the CSS code.
At the root of the site we can protect by the .htaccess the directory from being browsed but files still can be donwloaded.

So in the fonts directory I've created an .htaccess with those lines:
Code: [Select]
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://mon.site.fr/typos/.*$ [NC]
RewriteRule .*\.(eot|ttf)$ http://mon.site.fr/typos/ [R,NC,L]

Result: no result. Files still can be accessed.
Is my .htaccess code wrong? Can it be done with this method? Is there a smart way to do it? Will I see penguins in my garden soon?
These are my stupid questions for the weekend.
Take care.

Merci d'avance pour vos réponses.

Joost

  • Guest
Re: Prevent files download by .htaccess
« Reply #1 on: January 09, 2010, 03:57:49 PM »

Is my .htaccess code wrong? Can it be done with this method? Is there a smart way to do it?
The basic of rendering layout, is that everything needed to do so, is downloaded (to temp or cache) anyway.
The browser downloads stylesheets, html, images, javascript etc.. I never looked into the font-face method, but I cannot imagine that this would be different for fonts. So unless I am wrong (can't imagine that either), you can only protect against hot linking (bandwidth stealth), the way you protect against hotlinking images (a referrer check in .htaccess).


Will I see penguins in my garden soon?

Penguins don't travel that far north, so if you think you see one, quit smoking, cause that would be a nun.

Merci d'avance pour vos réponses.

I studied French only for a very short period. I got as far as this:

Où est papa ? Papa est dans le salon. Il fume une pipe.
Où est mama ? Mama est dans la cuisine. Elle prépare un diner délicieux.

How do you Frenchmen, do that ?  ::)

Logged

Sven

  • ULTIMATE member
  • ******
  • Karma: 88
  • Posts: 2029
  • Chasing MY bugs!
    • hiseo.fr - rédacteur Web
Re: Prevent files download by .htaccess
« Reply #2 on: January 09, 2010, 04:20:57 PM »

Howdee Mr Bear?
Is my .htaccess code wrong? Can it be done with this method? Is there a smart way to do it?
The basic of rendering layout, is that everything needed to do so, is downloaded (to temp or cache) anyway.
The browser downloads stylesheets, html, images, javascript etc.. I never looked into the font-face method, but I cannot imagine that this would be different for fonts. So unless I am wrong (can't imagine that either), you can only protect against hot linking (bandwidth stealth), the way you protect against hotlinking images (a referrer check in .htaccess).
Yeap you're damn right: the files must be downloaded into the browsers cache so there is no way to protect the fonts.
That's a huge problem.
Will I see penguins in my garden soon?

Penguins don't travel that far north, so if you think you see one, quit smoking, cause that would be a nun.
Thanks Joost. One moment I thought I've raped a penguin this early afternoon.
I'me sure now nuns are disguised in penguins to avoids maniacs.
Merci d'avance pour vos réponses.

I studied French only for a very short period. I got as far as this:

Où est papa ? Papa est dans le salon. Il fume une pipe.
Où est mama ? Mama est dans la cuisine. Elle prépare un diner délicieux.

How do you Frenchmen, do that ?  ::)


Où est Papa ? Here, il est dans la cuisine. I spend my saturday's afternoons cooking while Maman is reading books or gardening.
And la pipe* is my reward for a good cooking.  ;D

* see why

Joost

  • Guest
Re: Prevent files download by .htaccess
« Reply #3 on: January 09, 2010, 06:41:11 PM »


Thanks Joost. One moment I thought I've raped a penguin this early afternoon.
I'me sure now nuns are disguised in penguins to avoids maniacs.

The guitar and the singing should have been a dead give-away.

And la pipe* is my reward for a good cooking.  ;D

I have the same for a takeaway.
Logged

Sven

  • ULTIMATE member
  • ******
  • Karma: 88
  • Posts: 2029
  • Chasing MY bugs!
    • hiseo.fr - rédacteur Web
Re: Prevent files download by .htaccess
« Reply #4 on: January 11, 2010, 08:07:41 AM »

 ;D

Fred K

  • Still trying to learn stuff
  • ULTIMATE member
  • ******
  • Karma: 130
  • Posts: 2728
    • Personal
Re: Prevent files download by .htaccess
« Reply #5 on: January 11, 2010, 07:00:02 PM »

or use a hosted service like Typekit or Kernest, which will take away all your fears of distributing a font you paid dearly for. (Most dearly paid-for fonts don't allow web embedding, through CSS or other means, anyway so you're doubly screwed if you use your fine $90 Linotype Helvetica (Helvetica is by the way a standard font on Mac OS and can safely have Arial as a fallback for other systems so if it's Helvetica you wish to use, simply rely on the standard fonts.)

Code: [Select]
body {font-family:Helvetica,Arial,sans-serif;}
No more worries! :D
Logged

Sven

  • ULTIMATE member
  • ******
  • Karma: 88
  • Posts: 2029
  • Chasing MY bugs!
    • hiseo.fr - rédacteur Web
Re: Prevent files download by .htaccess
« Reply #6 on: January 12, 2010, 09:28:34 AM »

@ Bob
that's the ol' way  ;) Good way for design but I want texts.

@ Fred
Helvetica was for the example. ;)
Arial as a fallback for IE on Win's machine? Yeap you're right But Arial is not Helevtica.

Joost

  • Guest
Re: Prevent files download by .htaccess
« Reply #7 on: January 12, 2010, 03:30:00 PM »

@ Bob
that's the ol' way  ;) Good way for design but I want texts.

Yep, on the web you need text in html.
Logged

Fred K

  • Still trying to learn stuff
  • ULTIMATE member
  • ******
  • Karma: 130
  • Posts: 2728
    • Personal
Re: Prevent files download by .htaccess
« Reply #8 on: January 14, 2010, 04:00:42 AM »

... Arial is not Helevtica.

Of course it's not, but it's the one ubiquitous standard font that  --courtesy of Microsquishy's reluctance back then to pay the Helvetica license for Window$-- is the closest to Helvetica. You could just as well use Swiss or Univers, but (a) there's a bigger difference between those and Helvetica, and (b) ubiquitous they aren't. So, you're stuck with Arial. (Or just do "body {font-family:Helvetica,sans-serif;}", if you prefer that.) (I know you know this already, but there are others who might be reading over your shoulder, who don't...)

hee-hee, made you look, didn't I? :D
Logged

Sven

  • ULTIMATE member
  • ******
  • Karma: 88
  • Posts: 2029
  • Chasing MY bugs!
    • hiseo.fr - rédacteur Web
Re: Prevent files download by .htaccess
« Reply #9 on: January 14, 2010, 09:16:04 AM »

... Arial is not Helevtica.

Of course it's not, but it's the one ubiquitous standard font that  --courtesy of Microsquishy's reluctance back then to pay the Helvetica license for Window$-- is the closest to Helvetica. You could just as well use Swiss or Univers, but (a) there's a bigger difference between those and Helvetica, and (b) ubiquitous they aren't. So, you're stuck with Arial. (Or just do "body {font-family:Helvetica,sans-serif;}", if you prefer that.) (I know you know this already, but there are others who might be reading over your shoulder, who don't...)

hee-hee, made you look, didn't I? :D
8)