SOR: CORS or From-Origin? from Håkon Wium Lie on 2011-02-09 (public-webfonts-wg@w3.org from February 2011)

From: Håkon Wium Lie <howcome@opera.com>
Date: Wed, 9 Feb 2011 16:39:13 +0100
To: public-webfonts-wg@w3.org
Message-ID: <19794.46369.475631.859925@gargle.gargle.HOWL>

Same-origin restrictions (SOR), by way of CORS, is described in the
current WOFF WD. As we have seen on this list, the use of CORS is seeing
some resistance in the web community. I believe it's in the interest
of this WG to try address the concerns raised. 

The currently described solution has some problems:

 - it relies on a solution (CORS) which is a WD [1]. Therefore, WOFF
   will not be able to progress to REC before CORS progresses.

 - the editor of the CORS specification, Anne van Kesteren,
   discourages the use of CORS with WOFF. That's not a good sign for
   the relationship between the two.

However, the resistance is not based on a fundamental rejection of
SOR. Anne has penned an alternative proposal which is a different way
of achieving SOR: the From-Origin header [2].

To paraphrase Anne, there are two main ways of fetching resources on
the web: embedding and XHR. Embedding is used for images, HTML pages
in IFRAME, fonts etc. XHR (XMLHttpRequest) is used with scripts. CORS
has been designed to be used with XHR, and not for embedding. As such,
it is not suitable for use in WOFF. However, From-Origin is. And,
From-Origin is suitable for use with other media types as well; fonts
are not treated specially.

This is achieved by switching the default. In Mozilla's CORS-based
implementation today, the default is to ignore the font unless a
certain HTTP header is present. In the From-Origin proposal, the
browser will ignore the font if a certain HTTP header is present. This
change of default setting allows From-Origin to be used with other media
types on the web without causing havoc. 

If From-Origin is applied to other media types, it can address a
serious privacy issue:

  https://grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Private_Information  

The issue of which SOR mechanism to choose is one that has
implications beyond this WG. From-Origin is something others can
reuse, and I suggest we use it with WOFF.

[1] http://www.w3.org/TR/cors/
[2] http://annevankesteren.nl/2011/02/from-origin

Cheers,

-h&kon
              Håkon Wium Lie                          CTO °þe®ª
howcome@opera.com                  http://people.opera.com/howcome

Received on Wednesday, 9 February 2011 15:39:49 UTC