back to article No joke: Cloudflare takes aim at Google Fonts with ROFL

Cloudflare wants formatted text to flow faster into browsers, so has taken on Google with a webby font-delivery offering. The content-delivery-network-and-more biz has two beefs with Google Fonts – one of which is that it's needlessly chatty. In Cloudflare's telling, Google Fonts uses a cascading style sheet that resides at …

  1. Jamie Jones Silver badge
    Unhappy

    I presume it's opt-in?

    They man-in-the-middle web requests to your servers?

    Anyway, if I was relying on google fonts, or anything else, I'd bundle them with my site, making their point moot.

    Sure, there may be caching disadvantages, but for security, reliability, and privacy, you don't depend on third party sites in your html!

    Still, not as bad as those bozos who link live code to third party libraries off the third party site. The world is getting dumber...

    1. Martin M

      Re: I presume it's opt-in?

      Yes, it’s opt-in from the server end. As a website operator, you register and point your DNS at them, at which point you obviously need to trust them as much as your origin server(s). I would imagine there’ll be an opt-in for this specific service given it’s rewriting pages.

      Yes, they MitM - that’s how CDNs work. They’re distributed caching reverse proxies, so they have to terminate TLS on your behalf before connecting to the origin server to retrieve cache misses.

      In fact Cloudflare is also a CA, so it can automatically transparently issue a domain validated certificate if you want it to. It can also provide a certificate for your origin server to secure the second leg.

      1. teknopaul

        Re: I presume it's opt-in?

        In fact Cloudflare is also a CA, so it can automatically transparently MITM any client if IT WANTS TO.

        Ttfy

        1. Martin M

          Re: I presume it's opt-in?

          “In fact Cloudflare is also a CA, so it can automatically transparently MITM any client if IT WANTS TO.”

          To be fair, they also have to be able to *get* in the middle. Although for people using 1.1.1.1 for DNS, that wouldn’t be hard ;)

    2. katrinab Silver badge
      Megaphone

      Re: I presume it's opt-in?

      In modern browsers, there are no caching advantages to using third party resources. If the visitor has it in their cache from visiting another page, they will still download it again when visiting your page, otherwise it could be used as a way to track people.

      1. mattaw2001

        Re: I presume it's opt-in?

        Not only that modern browsers will. not share cached data between domains, it reduces the benefits of HTTP2 and adds another point of failure.

        Considering the font can be cached for basically forever it's not even very expensive.

      2. Jamie Jones Silver badge
        Thumb Up

        Re: I presume it's opt-in?

        Oh, I didn't know that! I feel totally vindicated now!

        I googled, and found this. https://www.stefanjudis.com/notes/say-goodbye-to-resource-caching-across-sites-and-domains/

        I guess I'm living 10 years in the past!

        Cheers for the heads-up!

    3. Captain Scarlet

      Re: I presume it's opt-in?

      Its amazing how far they are used, for WordPress its on nearly every one of our sites.

      I've given up with asking why do you need this css/js/font on someone elses CDN, you just get a look of "What? Please stop talking to me and go away."

    4. Anonymous Coward
      Anonymous Coward

      Not You Again?

      @Jamie_Jones

      ......not you again?

      About "bozos"..........I'm wondering................

  2. man_iii
    Holmes

    Static content

    So much of the geocache and content delivery requires that html and bits get stored on their edge devices. I wonder how much more optimisations might exist like this. Would love to see some of these stats.

  3. Grunchy Silver badge

    It’s about time !

    If you had 10,000 customers and they each saved 150 ms, you know what that’s like uh, 25 minutes saved. That’s worth nearly $9 at my rate of pay! Practically a full qtr pounder meal deal.

    1. Kristian Walsh Silver badge

      Re: It’s about time !

      10,000 is a tiny number of visitors for a website, certainly for any site that would be using Cloudflare as their provider. CF has customers who get millions of site-fetches a day. That’s a lot of quarter-pounder meals.

      ... and if those are US dollars, you should probably ask for a pay-rise.

      1. ArrZarr Silver badge
        Headmaster

        Re: It’s about time !

        Well unless they're using CSD, USD is worth more than any other $ currency.

      2. collinsl Bronze badge

        Re: It’s about time !

        Which may well mean that someone has misinterpreted or written a story around the idea of cache refreshes - 10,000 cache refreshes or misses a day for a site fonts sounds roughly about right.

  4. Jonathan Richards 1

    Witty names

    ROFL! Hahaha... but of course if I want to search for more information *about* the technology, what do you think the raw hit count for "ROFL" is? A.: 19.2 million. Alright, "ROFL" "font delivery" cuts that down to 5 with a 100% precision, but still.

    1. Gene Cash Silver badge

      Re: Witty names

      Yeah, that's like the GNU folks that named their Visio knockoff "Dia"

      Boy, do they get pissy if you suggest changing to a less generic and more easily searched name!

      1. Jamie Jones Silver badge

        Re: Witty names

        I always thought that would be a good way to help reduce torrenting of your stuff

        Just call your band "A" and your albums "and", to, "the" etc!

  5. elsergiovolador Silver badge

    An idea

    How about people upload the fonts to their server and serve them alongside their website?

    I am sorry if this idea is too radical.

    1. cookieMonster Silver badge
      Joke

      Re: An idea

      You’re old aren’t you (like more than 23) and you’re obviously not a javascript/web developer.

    2. wolfetone Silver badge

      Re: An idea

      I think some font licenses can be quite restrictive if self hosting, which some how is negated through using Google Fonts.

      I don't know, I've never seen a point in having fonts hosted elsewhere. But then again I'm anti everything web development has become so no one listens to me.

      1. Dinanziame Silver badge

        Re: An idea

        Note that the EU has declared that it is mandatory to self host Google Fonts on your website, otherwise user data leaks to Google:

        https://www.theregister.com/2022/01/31/website_fine_google_fonts_gdpr/

        1. Jamie Jones Silver badge

          Re: An idea

          Ooooh. I missed that. But just about every site has google analytics or google ads..

      2. Neil Barnes Silver badge
        Headmaster

        Re: An idea

        Not quite everyone... people seem to have forgotten that html is a content delivery system, not a typesetting system.

        1. Kristian Walsh Silver badge

          Re: An idea

          HTTP is a content delivery system; HTML, on the other hand, is the input format to the very popular document typesetting system we call a web browser.

          1. Anonymous Coward
            Anonymous Coward

            Re: An idea

            html - content

            css - style

            http - transport.

    3. Anonymous Coward
      Anonymous Coward

      Re: An idea

      Funny story. A potential customer had some issue with a website - I said we'd look into it. It's a single page site, not a huge amount of content - maybe 3 or 4 screens high, text, no video, minimum graphics.

      Total weight of the CSS, after I had de-minified it to investigate? 1.5MB. Of CSS.

      The minification made this considerably worse because literally every single stylesheet the developers (I presume they were legion) needed had been assembled into about 4 or 5 god-almighty huges files, which were then minified This included a dozen or so google fonts CSS files, various toolkits and the like, most of which are boilerplate thats shared over millions of websites, and none of which will benefit from caching from Cloudflare, ISP, or local browser cache from other sites due to the the way they're packaged.

      Performance during load was appalling, performance during rendering was appalling (it's matching every element in the HTML to tens of thousands of CSS rules). We walked away and said we couldn't help them.

  6. Crypto Monad Silver badge

    What you didn't mention was...

    One of the purposes of this new Rust module is to serve Low Output Latency HTML (= lol-html).

  7. Anonymous Coward
    Anonymous Coward

    Sod off with this nonsense

    My browser has access to a full suite of fonts from the OS. Request sans/serif/whatever from that and be done with all this downloading nonsense.

    It's only being done for data tracking anyway.

  8. ecofeco Silver badge

    Great, more solutons in search of a problem

    See title

  9. Kevin McMurtrie Silver badge

    And Cloudflare won't be evil?

    Cloudflare hinting that they might be less evil is laughable. They've been continuously expanding their access to what they can observe about Internet users. They are also willingly bulletproofing what seems like every fake store and SMS scammer on Earth.

    Dear Reg mods fearing Cloudflare's retaliation because of slander: I e-mailed you many examples. I can send you more. There are always more. I'd be really happy if there weren't always more. Just check your SMS spam bucket - Those links start at Namecheap, head through click-trackers at Amazon, then land on a fake store behind Cloudflare. Also https://www.spamhaus.org/sbl/listings/cloudflare.com

    1. Anonymous Coward
      Anonymous Coward

      Re: And Cloudflare won't be evil?

      I'm involved with a project that, among other things, posts links to relevant news articles to various social media platforms and we have followers who, without fail, will complain whenever we post a link to a news medium that uses CloudFlare in between. I swear that they must be running some browser privacy plugin that warns them if CF has muscled itself in between them and what they want to read and they will let us know. They often post alternative links too so people can read the article without CF.

      There will always be people more paranoid than me but I feel they may be on to something. There's a reason that CF offers such a key service for free, it gives them access to tremendous amounts of data.

    2. Anonymous Coward
      Anonymous Coward

      Re: And Cloudflare won't be evil?

      They provide DDOS protection for DDOS-as-a-service providers, in a not so subtle form of irony, and also provide DDOS protection for sites that offer animal torture fetish content. They just about managed to get away with it, when they pretended to be entirely content agnostic and only protecting the underlying networks. They've since taken the stance that some content is too reprehensible to be allowed to cross their network or remain protected behind their services, which given their refusal to remove protection from the aforementioned DDOSers and animal snuff fetishists despite multiple complaints, makes them tacit supporters of the content that does still cross their network.

  10. Len
    Happy

    GDPR compliant alternative to Google Fonts

    For those looking for a GDPR compliant alternative to Google Fonts I can recommend fonts.bunny.net. They have drop in replacements for all Google fonts and even a WordPress plugin that redirects it for you if can't (or prefer not to) change your WP themes with hardcoded links to Google Fonts.

    1. IGotOut Silver badge

      Re: GDPR compliant alternative to Google Fonts

      Or you could just use a plugin that loads the Google fonts that your site uses and host them locally.

      1. Dave559

        Re: GDPR compliant alternative to Google Fonts

        Someone has developed a handy website which will let you easily download the fonts (etc) from Google's servers, so that you can host the particular fonts that you need/want locally and perfectly legally.

        google-webfonts-helper: A Hassle-Free Way to Self-Host Google Fonts

  11. Grogan Silver badge

    Just use font styles, then that works for everyone. Then you don't need to download fonts.

    I happen to like the one TTF font family (Deja Vu) that I have installed (with font matching rules all pointing to them) and I don't appreciate browsers downloading fonts just for somebody's vain web site. I have "allow pages to choose their own fonts" disabled and "gfx.downloadable_fonts.enabled set to false in about:config. I don't care... I choose the fonts I like to read.

  12. collinsl Bronze badge

    I'll admit that I've not touched HTML for years, but can't you just specify a font-family in CSS and call it a day? Or just locally host them? Why do people need fonts from Google?

    1. Anonymous Coward
      Anonymous Coward

      It's the shiny-shiny

  13. unimaginative
    Unhappy

    Because they want to use an exact font. It might be the designer, or marketing people who want to use the same font for the brand that they use in printed materials and images. Add to that tight budgets or timelines, or a lazy front end designer, and the fast/easy way to do it is to copy and past a line from Google Fonts.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like