The basic, insecure @font-face has CSS specify a font file with its name and address out there in the naked. Any user with a little know-how can simply type in the address and download the font. I set out to put a chastity belt on it, giving the key only to it’s suitor: my trusted CSS. When a stranger tries to access the font nothing is downloaded, only a message shows up instead; let’s say license info or where to buy the font.
Note: I have removed the code as understanding how it works makes it vulnerable. You may download the files and try it yourself!
This isn’t foolproof but it is fun. I should just stress that you need to check the EULA of your commercial fonts or negotiate with the foundry, and present clients with the pros/cons of this solution.
There are plenty of other issues that accompany the use of @font-face. Compression is a biggy, and that’s something WOFF will help with.
Good resources for other issues: