Re: css3-fonts: should not dictate usage policy with respect to origin from Glenn Adams on 2011-06-30 (www-font@w3.org from April to June 2011)

From: Glenn Adams <glenn@skynav.com>
Date: Thu, 30 Jun 2011 16:55:52 -0600
To: John Daggett <jdaggett@mozilla.com>
Cc: John Hudson <tiro@tiro.com>, liam@w3.org, StyleBeyondthePunchedCard <www-style@w3.org>, public-webfonts-wg@w3.org, www-font@w3.org, "Martin J." <duerst@it.aoyama.ac.jp>, Sylvain Galineau <sylvaing@microsoft.com>, Vladimir Levantovsky <Vladimir.Levantovsky@monotypeimaging.com>
Message-ID: <BANLkTin1YHqBC8JnFAp0Z5NjpAKH0qAdiQ@mail.gmail.com>

if EvilCompany does not include an Origin header in its request, then
BigCompany could not distinguish that request as coming from  a pre-HTML5 UA
(i.e., current conditions), in which this case devolves to the current read
scenario;

if BigCompany does not respond to fetches not containing an Origin, then
again EvilCompany can guess an origin that permits access, resulting in a
fetch;

EvilCompany does not need to use a UA, but can construct their own HTTP
client to accomplish this;

the scenario you offer only prevents access if *every* HTTP client, whether
UA or not, respects SOR;

On Thu, Jun 30, 2011 at 3:59 PM, John Daggett <jdaggett@mozilla.com> wrote:

>
> Glenn Adams wrote:
>
> > Regarding the last, please show me an attack based on font access that
> > SOR prevents.
>
> One possible attack scenario:
>
> BigCompany decides to design a new logo.  They commission a font
> containing a special glyph with that logo in it.  An access-restricted
> site is created using that custom font.  EvilCompany, a competitor,
> would like to know about that logo before it is released publicly.  They
> insert script in web ads on popular sites that systematically attempt
> to guess possible access-restricted URLs for the custom font.  An
> employee of BigCompany hits one of the pages on an external site
> containing one of EvilCompany's webads.
>
> If no origin restriction exists, the web ad code can access the font as
> long as they guess the right access-restricted URL and an
> employee of BigCompany happens to have access.  The script inserted in a
> webad by EvilCompany accesses the custom logo glyph and sends it back to
> an EvilCompany-controlled site.
>
> If font loads are restricted to same origin and the BigCompany hasn't
> explicitly enabled cross-origin loading via CORS, the web ad code will
> *never* be able to load the font even if their code guesses the right
> access-restricted URL, since it's origin is different.
>
> The scenario is the same one as in the WebGL example I noted earlier,
> without same origin restrictions content can be accessed via means
> that are not immediately obvious to the naive author.
>
> Regards,
>
> John Daggett
>

Received on Thursday, 30 June 2011 22:56:55 UTC