W3C home > Mailing lists > Public > www-font@w3.org > April to June 2011

Re: css3-fonts: should not dictate usage policy with respect to origin

From: John Daggett <jdaggett@mozilla.com>
Date: Thu, 30 Jun 2011 14:59:14 -0700 (PDT)
To: Glenn Adams <glenn@skynav.com>
Cc: John Hudson <tiro@tiro.com>, liam@w3.org, StyleBeyondthePunchedCard <www-style@w3.org>, public-webfonts-wg@w3.org, www-font@w3.org, "Martin J." <duerst@it.aoyama.ac.jp>, Sylvain Galineau <sylvaing@microsoft.com>, Vladimir Levantovsky <Vladimir.Levantovsky@monotypeimaging.com>
Message-ID: <419168569.395631.1309471154030.JavaMail.root@zimbra1.shared.sjc1.mozilla.com>

Glenn Adams wrote:

> Regarding the last, please show me an attack based on font access that
> SOR prevents.

One possible attack scenario:

BigCompany decides to design a new logo.  They commission a font
containing a special glyph with that logo in it.  An access-restricted
site is created using that custom font.  EvilCompany, a competitor,
would like to know about that logo before it is released publicly.  They
insert script in web ads on popular sites that systematically attempt
to guess possible access-restricted URLs for the custom font.  An
employee of BigCompany hits one of the pages on an external site
containing one of EvilCompany's webads.

If no origin restriction exists, the web ad code can access the font as
long as they guess the right access-restricted URL and an
employee of BigCompany happens to have access.  The script inserted in a
webad by EvilCompany accesses the custom logo glyph and sends it back to
an EvilCompany-controlled site.

If font loads are restricted to same origin and the BigCompany hasn't
explicitly enabled cross-origin loading via CORS, the web ad code will
*never* be able to load the font even if their code guesses the right
access-restricted URL, since it's origin is different.

The scenario is the same one as in the WebGL example I noted earlier,
without same origin restrictions content can be accessed via means
that are not immediately obvious to the naive author.

Regards,

John Daggett
Received on Thursday, 30 June 2011 21:59:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 30 June 2011 21:59:58 GMT