Reverse-Proxying Google Fonts as GDPR workaround allowed?

[nohn]

As #1495 was closed without actually resolving the issue for anyone.

A technical and from a GDPR point of view viable solution would be reverse proxying fonts.googleapis.com, rewriting the return CSS and also reverse-proxy fonts.gstatic.com. However, is that a solution, Google does accept?

An example NGINX config may clarify what I'm talking about. Is running something like this in the public internet accepted by Google?

server {
    server_name fonts.example.com;

    location / {
            proxy_pass https://fonts.googleapis.com/;
            proxy_set_header Host fonts.googleapis.com;
            proxy_set_header Accept-Encoding "";

            subs_filter_types text/css;
            subs_filter //fonts.gstatic.com/ //fonts.example.com/fonts/;
    }       

    location /fonts {
            proxy_pass https://fonts.gstatic.com/;
            proxy_set_header Host fonts.gstatic.com;
    }
}

[davelab6]

Did anything in the Terms of Service relate to this in your mind?

[nohn]

@davelab6

https://developers.google.com/terms/

Section 4: Prohibitions and Confidentiality
a. API Prohibitions
When using the APIs, you may not (or allow those acting on your behalf to):

Sublicense an API for use by a third party. Consequently, you will not create an API Client that functions substantially the same as the APIs and offer it for use by third parties.

[davelab6]

GoogleChrome/workbox#1599 notes,

The Google APIs Terms of Services say that we cannot "keep cached copies longer than permitted by the cache header" (https://developers.google.com/terms/#e_prohibitions_on_content)

So, I guess it isn't allowed.

[nohn]

The NGINX example doesn't cache the results. It just passes them through to not reveal the real user's IP to Google.

[Wouter0100]

Honest question, why would you want to proxy it? I would just recommend to download the fonts (as they're free to use, if I'm not mistaken?) and host them yourself.

When you proxy it, the whole benefit of hosting it on a Google CDN is lost either way?

[trajano]

Reason why you should proxy it ... you can be sued https://www.theregister.com/2022/01/31/website_fine_google_fonts_gdpr/

[Wouter0100]

Reason why you should proxy it ... you can be sued https://www.theregister.com/2022/01/31/website_fine_google_fonts_gdpr/

But.. then you would be better off downloading them and hosting them yourself anyway?

[trajano]

That's one option, but that would entail a lot of code changes. Remember there's two places you need to update

1. the CSS that gets generated from the LINK element
2. the actual TTF files.

What @nohn provides is a less annoying way of changing the code base so that ideally it just changes the host name needed for Google fonts.

I took his idea and extended it to be a docker image I can plop in my Docker Swarm now hopefully all I have to do is swap the references to point to my server with some basic caching just a few minutes ago.

I just fixed it to make it interop with Traefik (I am guessing other SSL termination proxies as well) a bit better since I take the X-Forwarded-Host and X-Forwarded-Proto values and swap them appropriately. I also made it support the icon fonts

[k1sul1]

I just went through the hassle of downloading the fonts myself, twice actually. First with https://google-webfonts-helper.herokuapp.com/, which makes it easy. I just happened to notice that nordics are broken when the text is UPPERCASED:

Then I tried Transfonter. Same issue.

This is what it should look like:

Someone is probably going to fix that font in the near future, but shit like this is exactly why I'm going to proxy instead of messing with local fonts.

Now I have to come back to it periodically to see if the font has been fixed. Nice.

[danielehrhardt]

A lot of my customers now receive lawsuits with €170 fine.
Google really should do something about this.

Is it now allowed to proxy Google Fonts API or not?

https://stackoverflow.com/questions/74181989/google-fonts-german-gdpr-ip-address