- From: Dirk Pranke <dpranke@chromium.org>
- Date: Wed, 5 May 2010 09:28:21 -0700
- To: Jeffrey Veen <jeff@typekit.com>
- Cc: www-font@w3.org
On Tue, May 4, 2010 at 3:57 PM, Jeffrey Veen <jeff@typekit.com> wrote: > On Tue, May 4, 2010 at 2:19 PM, Levantovsky, Vladimir > <Vladimir.Levantovsky@monotypeimaging.com> wrote: > >> It seems that same-origin restriction by default makes perfect sense for any resource, >> and while I lament that it wasn't implemented for other resources, I do not see any >> reason why it should not be in place for fonts and other resources going forward. > > Hasn't HTTP Referrer Checking been the solution to this thus far? As > far back as I can remember, people have been using it to avoid > hot-linking of images and other assets. Referer checking can help here, but it does have issues that lead it to getting filtered in the network in some cases. I refer you to Adam Barth's paper, "Robust Defenses for Cross-Site Request Forgery" [1], that led to the proposal for the Origin header (which is essentially what CORS is using). -- Dirk [1] http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf
Received on Wednesday, 5 May 2010 16:28:51 UTC