W3C home > Mailing lists > Public > www-font@w3.org > July to September 2009

Re: The unmentionable

From: Robert O'Callahan <robert@ocallahan.org>
Date: Thu, 30 Jul 2009 09:07:07 +1200
Message-ID: <11e306600907291407q2bf6f84dw5467feaa79e7f607@mail.gmail.com>
To: Dirk Pranke <dpranke@google.com>
Cc: Sylvain Galineau <sylvaing@microsoft.com>, "www-font@w3.org" <www-font@w3.org>
On Thu, Jul 30, 2009 at 5:26 AM, Dirk Pranke <dpranke@google.com> wrote:

> On Wed, Jul 29, 2009 at 6:43 AM, Sylvain Galineau<sylvaing@microsoft.com>
> wrote:
> > From: www-font-request@w3.org [www-font-request@w3.org] on behalf of
> Dirk Pranke [dpranke@google.com]
> >
> >>(e) There may be objections that using same-origin and/or CORS as a
> >>lightweight form of license restriction is anathema to the web as a
> >>whole, and hence browser implementors might be very loathe to
> >>implement something like this for fear of setting bad precedents.
> >
> > Firefox already does this.
> >
>
> Agreed, but I believe they do it for security concerns, not licensing
> concerns (although I'm not positive about this). I do know that the
> conversations about this in WebKit revolve primarily around security
> concerns.
>

You don't have to guess. We've explained before why we do it, but I'm happy
to explain it again, for good measure.

-- As a general rule, allowing one site access to information from arbitrary
other sites is a problem. It leads to attacks like router profiling attacks,
intranet information leaks, and the like. If we could rebuild the Web from
the ground up, we'd have default same-origin checks for all resource
inclusions, and all those attacks would have been blocked from the outset.
It's too late for images, stylesheets and scripts, but doing it for new
kinds of resource inclusions may have some value. (I say "may" because it
depends on how the Web evolves, how fonts are used, and how ingenious the
villains are. No-one predicted the attacks using cross-site image, script
and stylesheet loads before it was too late.)

-- As a general rule, it seems good to offer Web authors the ability to
control who uses their served resources. A default same-origin restriction +
CORS seems the best available way to provide that control --- more
convenient, more reliable, and with better user privacy than Referer
checking. Web authors can use this control to achieve various useful goals,
including preventing freeloaders from consuming server bandwidth, and
complying with font licenses.

-- The inconvenience to authors of requiring CORS to enable cross-site
linking seems to be small. I'm not aware of any complaints from authors that
it is a significant barrier to deployment. (In contrast, when we looked at
the same issue for HTML video, there were a lot of author complaints that a
default same-origin restriction would be a major deployment barrier, so we
didn't do it there.)

Preventing links to malicious fonts that might compromise the browser is not
a reason to adopt default same-origin checks. For one thing, a malicious
font server can just use CORS to permit the link.

Rob
-- 
"He was pierced for our transgressions, he was crushed for our iniquities;
the punishment that brought us peace was upon him, and by his wounds we are
healed. We all, like sheep, have gone astray, each of us has turned to his
own way; and the LORD has laid on him the iniquity of us all." [Isaiah
53:5-6]
Received on Wednesday, 29 July 2009 21:07:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 11 June 2011 00:14:03 GMT