W3C home > Mailing lists > Public > www-font@w3.org > April to June 2011

Re: css3-fonts: should not dictate usage policy with respect to origin

From: Glenn Adams <glenn@skynav.com>
Date: Thu, 30 Jun 2011 17:01:12 -0600
Message-ID: <BANLkTikQY_e0_TsU0k_y8JghB8WwPcnLZA@mail.gmail.com>
To: Tab Atkins <tabatkins@google.com>
Cc: Brad Kemper <brad.kemper@gmail.com>, John Daggett <jdaggett@mozilla.com>, John Hudson <tiro@tiro.com>, Vladimir Levantovsky <Vladimir.Levantovsky@monotypeimaging.com>, "liam@w3.org" <liam@w3.org>, StyleBeyondthePunchedCard <www-style@w3.org>, "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>, "www-font@w3.org" <www-font@w3.org>, "Martin J." <duerst@it.aoyama.ac.jp>, Sylvain Galineau <sylvaing@microsoft.com>
if this argument applies, then the same logic driving SOR on font fetches
should be used on every type of fetch, including images; if the W3C came out
and said "we are going to systematically transition our specs so that all
fetches require SOR" as a preventative measure against possible attacks,
then we probably wouldn't be having this conversation;

however, I have asked what is special about fonts that requires SOR that
does not apply to text/plain, image/png, application/xml, etc., and I have
not received an answer other than "we need a mechanism to enforce EULAs";

On Thu, Jun 30, 2011 at 4:38 PM, Tab Atkins <tabatkins@google.com> wrote:

> On Thu, Jun 30, 2011 at 3:35 PM, Brad Kemper <brad.kemper@gmail.com>
> wrote:
> > If there is a corporate font or specialized dingbat font that is only
> loaded
> > and used when a person has signed into a secure site (for online banking,
> > let's say), then an attacker whose site is open in another window or tab
> can
> > find out about it using the method Tab described earlier. That is
> > information leakage that would allow the attacker to know when to attack.
> He
> > could, for instance, pop open a small window that says, "you are about to
> be
> > automatically signed out. Click OK to stay signed in." And then the OK
> > button would lead to a phishing site that looked just like the online
> > banking site, and a lot of users wouldn't realize it. That is a security
> > risk that has nothing to do with EULAs.
>
> In other words, betting that a particular filetype will never be used
> in malicious attacks is a good way to lose money.  ^_^
>
> ~TJ
>
Received on Thursday, 30 June 2011 23:02:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 30 June 2011 23:02:08 GMT