W3C home > Mailing lists > Public > public-web-security@w3.org > March 2011

fyi: Cross-Origin Resource Embedding Restrictions

From: =JeffH <Jeff.Hodges@KingsMountain.com>
Date: Tue, 01 Mar 2011 09:36:11 -0800
Message-ID: <4D6D2E8B.5080806@KingsMountain.com>
To: W3C Web Security Interest Group <public-web-security@w3.org>
fyi, of possible interest...

thread rooted here..


[probably best to keep discussion of this specific thing on public-webapps@ for 

Subject: Cross-Origin Resource Embedding Restrictions
From: "Anne van Kesteren" <annevk@opera.com>
Date: Tue, 01 Mar 2011 08:35:33 +0100
To: "WebApps WG" <public-webapps@w3.org>


The WebFonts WG is looking for a way to prevent cross-origin embedding of
fonts as certain font vendors want to license their fonts with such a
restriction. Some people think CORS is appropriate for this, some don't.
Here is some background material:


More generally, having a way to prevent cross-origin embedding of
resources can be useful. In addition to license enforcement it can help

   * Bandwidth "theft"
   * Clickjacking
   * Privacy leakage

To that effect I wrote up a draft that complements CORS. Rather than
enabling sharing of resources, it allows for denying the sharing of


And although it might end up being part of the Content Security Policy
work I think it would be useful if publish a Working Draft of this work to
gather more input, committing us nothing.

What do you think?

Kind regards,

Anne van Kesteren
Received on Tuesday, 1 March 2011 17:36:41 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:18 UTC