W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2011

Re: Cross-Origin Resource Embedding Restrictions

From: Glenn Maynard <glenn@zewt.org>
Date: Tue, 1 Mar 2011 16:10:59 -0500
Message-ID: <AANLkTinCbMzn-4YTZFk+_RDxnaGVQQm8m5r8_pc+RizA@mail.gmail.com>
To: nathan@webr3.org
Cc: Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>
On Tue, Mar 1, 2011 at 3:33 PM, Nathan <nathan@webr3.org> wrote:
> (rather than controlled only "by user agents which choose to follow the specs" offering
> an artificial screen).

If user agents deliberately ignore the specs to allow embedding where
authors don't want it to, they can do it with any model--Referer,
Origin, From-Origin, etc.  They all depend on UA cooperation.

In practice, as long as most browsers support it and enable it by
default, that's enough to discourage people from embedding resources
from sites that don't want them to.

> However, on this specific draft, is there any chance you can move to a
> white-list/black-list model, where people can send either Allow-Origin or
> Deny-Origin, for instance in many scenarios I want to allow everyone except
> origins A and B who I know consistently "steal" bandwidth, or display my
> resources beside unsavoury ones.

Sending whitelists in a header makes sense to me, but sending
blacklists with every request doesn't scale--such a list could easily
end up having dozens of entries, bloating the headers for every
request.  You may not actually want to expose your entire blacklist to
the public, either.

Blacklisting does seem like a fair use case, though; it often makes
sense to want to block particularly abusive sites, without blocking
everyone.

-- 
Glenn Maynard
Received on Tuesday, 1 March 2011 21:11:32 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:43 GMT