W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2011

Cross-Origin Resource Embedding Restrictions

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 01 Mar 2011 08:35:33 +0100
To: "WebApps WG" <public-webapps@w3.org>
Message-ID: <op.vrnl1isk64w2qv@anne-van-kesterens-macbook-pro.local>
Hi,

The WebFonts WG is looking for a way to prevent cross-origin embedding of  
fonts as certain font vendors want to license their fonts with such a  
restriction. Some people think CORS is appropriate for this, some don't.  
Here is some background material:

http://weblogs.mozillazine.org/roc/archives/2011/02/distinguishing.html
http://annevankesteren.nl/2011/02/web-platform-consistency
http://lists.w3.org/Archives/Public/public-webfonts-wg/2011Feb/0066.html


More generally, having a way to prevent cross-origin embedding of  
resources can be useful. In addition to license enforcement it can help  
with:

  * Bandwidth "theft"
  * Clickjacking
  * Privacy leakage

To that effect I wrote up a draft that complements CORS. Rather than  
enabling sharing of resources, it allows for denying the sharing of  
resources:

http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html

And although it might end up being part of the Content Security Policy  
work I think it would be useful if publish a Working Draft of this work to  
gather more input, committing us nothing.

What do you think?

Kind regards,


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Tuesday, 1 March 2011 07:36:08 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:43 GMT