Re: CSS3 @font-face / EOT Fonts from Robert O'Callahan on 2008-11-07 (www-style@w3.org from November 2008)

From: Robert O'Callahan <robert@ocallahan.org>
Date: Fri, 7 Nov 2008 16:40:20 +1300
To: "Aryeh Gregor" <Simetrical@gmail.com>
Cc: "Tab Atkins Jr." <jackalmage@gmail.com>, "Mikko Rantalainen" <mikko.rantalainen@peda.net>, "www-style@w3.org" <www-style@w3.org>
Message-ID: <11e306600811061940v4b62e2beuf16e77c941fd37bd@mail.gmail.com>

On Fri, Nov 7, 2008 at 4:22 PM, Aryeh Gregor <Simetrical@gmail.com> wrote:

> On Thu, Nov 6, 2008 at 9:20 PM, Robert O'Callahan <robert@ocallahan.org>
> wrote:
> > It's been incredibly successful in some ways. It's also been incredibly
> > disastrous for security (when applied to scripts, images and IFRAMEs at
> > least).
>
> Same-origin restrictions are important for security, of course.  I
> just don't see it as being a great solution for DRM.  As far as
> security goes, I see no security difference here between the various
> proposals, since all allow remote-linking a font with at most the
> consent of the font's host (which the uploader of a malicious font
> would obviously grant).

Yeah, it's not about malicious fonts, but more about what evil.com can do if
it can load a font from intranet.example.com when visited by an
example.comuser. Perhaps not much, in the case of fonts. I just wanted
to mention that
allowing cross-origin loads has so far been "incredibly successful" only if
you ignore the massive security problems it has spawned.

> > I happen to agree with the "other side" that allowing anyone to link to
> any
> > font anywhere, unless the person hosting the font file has taken explicit
> > steps to forbid, makes it too easy for people to do the wrong thing.
>
> Isn't this an identical situation to images?  Do you think the web
> would be better if linking to images across domains was opt-in (and
> opting in required messing with web server configuration)?
>

It certainly would be a lot better, but mainly for security reasons. It
would be slightly better in terms of server owners controlling their
resources, because I expect most sites expect their images to be used only
on their pages.

I did say that last bit you quoted too strongly. Even if we allowed
unrestricted linking you wouldn't see significant *commercial* sites (which
is presumably where the potential revenue is for font vendors) linking to
fonts on sites they don't control, simply because it's stupid to depend on
resources outside your control that way. So in a sense it wouldn't really
matter.

Rob
-- 
"He was pierced for our transgressions, he was crushed for our iniquities;
the punishment that brought us peace was upon him, and by his wounds we are
healed. We all, like sheep, have gone astray, each of us has turned to his
own way; and the LORD has laid on him the iniquity of us all." [Isaiah
53:5-6]

Received on Friday, 7 November 2008 03:41:07 UTC