Reverse-Proxying Google Fonts as GDPR workaround allowed?

google / fonts

Font files available from Google Fonts, and a public issue tracker for all things Google Fonts

https://fonts.google.com

17.87k stars 2.6k forks source link

Reverse-Proxying Google Fonts as GDPR workaround allowed? #1637

Open nohn opened 5 years ago

nohn commented 5 years ago

As #1495 was closed without actually resolving the issue for anyone.

A technical and from a GDPR point of view viable solution would be reverse proxying fonts.googleapis.com, rewriting the return CSS and also reverse-proxy fonts.gstatic.com. However, is that a solution, Google does accept?

An example NGINX config may clarify what I'm talking about. Is running something like this in the public internet accepted by Google?

server {
    server_name fonts.example.com;

    location / {
            proxy_pass https://fonts.googleapis.com/;
            proxy_set_header Host fonts.googleapis.com;
            proxy_set_header Accept-Encoding "";

            subs_filter_types text/css;
            subs_filter //fonts.gstatic.com/ //fonts.example.com/fonts/;
    }       

    location /fonts {
            proxy_pass https://fonts.gstatic.com/;
            proxy_set_header Host fonts.gstatic.com;
    }
}

davelab6 commented 5 years ago

Did anything in the Terms of Service relate to this in your mind?

nohn commented 5 years ago

@davelab6

https://developers.google.com/terms/

Section 4: Prohibitions and Confidentiality a. API Prohibitions When using the APIs, you may not (or allow those acting on your behalf to):

Sublicense an API for use by a third party. Consequently, you will not create an API Client that functions substantially the same as the APIs and offer it for use by third parties.

davelab6 commented 5 years ago

https://github.com/GoogleChrome/workbox/issues/1599 notes,

The Google APIs Terms of Services say that we cannot "keep cached copies longer than permitted by the cache header" (https://developers.google.com/terms/#e_prohibitions_on_content)

So, I guess it isn't allowed.

nohn commented 5 years ago

The NGINX example doesn't cache the results. It just passes them through to not reveal the real user's IP to Google.

Wouter0100 commented 2 years ago

Honest question, why would you want to proxy it? I would just recommend to download the fonts (as they're free to use, if I'm not mistaken?) and host them yourself.

When you proxy it, the whole benefit of hosting it on a Google CDN is lost either way?

trajano commented 2 years ago

Reason why you should proxy it ... you can be sued https://www.theregister.com/2022/01/31/website_fine_google_fonts_gdpr/

Wouter0100 commented 2 years ago

Reason why you should proxy it ... you can be sued https://www.theregister.com/2022/01/31/website_fine_google_fonts_gdpr/

But.. then you would be better off downloading them and hosting them yourself anyway?

trajano commented 2 years ago

That's one option, but that would entail a lot of code changes. Remember there's two places you need to update

the CSS that gets generated from the LINK element
the actual TTF files.

What @nohn provides is a less annoying way of changing the code base so that ideally it just changes the host name needed for Google fonts.

I took his idea and extended it to be a docker image I can plop in my Docker Swarm now hopefully all I have to do is swap the references to point to my server with some basic caching just a few minutes ago.

I just fixed it to make it interop with Traefik (I am guessing other SSL termination proxies as well) a bit better since I take the X-Forwarded-Host and X-Forwarded-Proto values and swap them appropriately. I also made it support the icon fonts

k1sul1 commented 2 years ago

I just went through the hassle of downloading the fonts myself, twice actually. First with https://google-webfonts-helper.herokuapp.com/, which makes it easy. I just happened to notice that nordics are broken when the text is UPPERCASED:

Then I tried Transfonter. Same issue.

This is what it should look like:

Someone is probably going to fix that font in the near future, but shit like this is exactly why I'm going to proxy instead of messing with local fonts.

Now I have to come back to it periodically to see if the font has been fixed. Nice.

danielehrhardt commented 1 year ago

A lot of my customers now receive lawsuits with €170 fine. Google really should do something about this.

Is it now allowed to proxy Google Fonts API or not?

https://stackoverflow.com/questions/74181989/google-fonts-german-gdpr-ip-address

crtl commented 1 month ago

Regarding the terms of service it states that you cannot sublicense to thirdparties:

Sublicense an API for use by a third party. Consequently, you will not create an API Client that functions substantially the same as the APIs and offer it for use by third parties.

Am I allowed to create a proxy for internal use? I work in an agency and we have multiple clients, of course we can download webfonts but its always more work than to just include the webfont link in css. I wanted to setup a reverse proxy which will be only used by our clients (without additional cost). Is this also sublicensing and prohibited?