W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2011

Cross-Origin Resource Embedding Restrictions

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 01 Mar 2011 08:35:33 +0100
To: "WebApps WG" <public-webapps@w3.org>
Message-ID: <op.vrnl1isk64w2qv@anne-van-kesterens-macbook-pro.local>

The WebFonts WG is looking for a way to prevent cross-origin embedding of  
fonts as certain font vendors want to license their fonts with such a  
restriction. Some people think CORS is appropriate for this, some don't.  
Here is some background material:


More generally, having a way to prevent cross-origin embedding of  
resources can be useful. In addition to license enforcement it can help  

  * Bandwidth "theft"
  * Clickjacking
  * Privacy leakage

To that effect I wrote up a draft that complements CORS. Rather than  
enabling sharing of resources, it allows for denying the sharing of  


And although it might end up being part of the Content Security Policy  
work I think it would be useful if publish a Working Draft of this work to  
gather more input, committing us nothing.

What do you think?

Kind regards,

Anne van Kesteren
Received on Tuesday, 1 March 2011 07:36:08 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 February 2015 14:36:48 UTC