W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

fyi: Cross-Origin Resource Embedding Restrictions

From: =JeffH <Jeff.Hodges@KingsMountain.com>
Date: Tue, 01 Mar 2011 09:36:11 -0800
Message-ID: <4D6D2E8B.5080806@KingsMountain.com>
To: W3C Web Security Interest Group <public-web-security@w3.org>
fyi, of possible interest...

thread rooted here..

http://lists.w3.org/Archives/Public/public-webapps/2011JanMar/0710.html

[probably best to keep discussion of this specific thing on public-webapps@ for 
now]

Subject: Cross-Origin Resource Embedding Restrictions
From: "Anne van Kesteren" <annevk@opera.com>
Date: Tue, 01 Mar 2011 08:35:33 +0100
To: "WebApps WG" <public-webapps@w3.org>

Hi,

The WebFonts WG is looking for a way to prevent cross-origin embedding of
fonts as certain font vendors want to license their fonts with such a
restriction. Some people think CORS is appropriate for this, some don't.
Here is some background material:

http://weblogs.mozillazine.org/roc/archives/2011/02/distinguishing.html
http://annevankesteren.nl/2011/02/web-platform-consistency
http://lists.w3.org/Archives/Public/public-webfonts-wg/2011Feb/0066.html


More generally, having a way to prevent cross-origin embedding of
resources can be useful. In addition to license enforcement it can help
with:

   * Bandwidth "theft"
   * Clickjacking
   * Privacy leakage

To that effect I wrote up a draft that complements CORS. Rather than
enabling sharing of resources, it allows for denying the sharing of
resources:

http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html

And although it might end up being part of the Content Security Policy
work I think it would be useful if publish a Working Draft of this work to
gather more input, committing us nothing.

What do you think?

Kind regards,


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Tuesday, 1 March 2011 17:36:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 1 March 2011 17:36:42 GMT