W3C home > Mailing lists > Public > www-style@w3.org > June 2011

Re: css3-fonts: should not dictate usage policy with respect to origin

From: Tab Atkins <tabatkins@google.com>
Date: Mon, 20 Jun 2011 12:28:51 -0700
Message-ID: <BANLkTikeB9EtEjjRfvzg5xai25s3nxozQV_OX-d9nDRZPB0AQg@mail.gmail.com>
To: Glenn Adams <glenn@skynav.com>
Cc: John Hudson <tiro@tiro.com>, "Levantovsky, Vladimir" <Vladimir.Levantovsky@monotypeimaging.com>, Florian Rivoal <florianr@opera.com>, Martin J. Dürst <duerst@it.aoyama.ac.jp>, Jonathan Kew <jonathan@jfkew.plus.com>, "Tab Atkins Jr." <jackalmage@gmail.com>, W3C Style <www-style@w3.org>, 3668 FONT <public-webfonts-wg@w3.org>, www-font@w3.org
On Mon, Jun 20, 2011 at 12:17 PM, Glenn Adams <glenn@skynav.com> wrote:
> On Mon, Jun 20, 2011 at 1:06 PM, John Hudson <tiro@tiro.com> wrote:
>> Glenn wrote:
>>
>>> I believe we could agree to the first, but not to the second. In fact, we
>>> want to make the second to read as:
>>
>>>       UAs MUST NOT, by default, treat webfont resources as
>>>       same origin restricted.
>>
>>> In the absence of an author declaring either a restriction or a
>>> relaxation, we believe the default should be NO restriction.
>>
>> For all resources, or for webfonts in particular?
>>
>> May I echo Tab's question, and ask why? I'd like to get a clearer idea of
>> whether Samsung's position is essentially a matter of principle or has some
>> particular practical import for UAs.
>
> All. Because that is the way the Web works today.

The web currently allows embedding resources freely, while reading is
same-origin restricted.  As we repeatedly discover, though, the
ability to embed almost always translates into the ability to read,
because it's nearly impossible to prevent all manner of information
leaks; web browsers are not secure against timing-channel attacks in
general.

Robert O'Callahan, a senior Mozilla hacker, explains at length in
<http://weblogs.mozillazine.org/roc/archives/2011/02/distinguishing.html>
why this reading vs embedding distinction is generally a bad thing,
and is pretty much just a result of legacy requirements.  Back when
browsers were first created, there was no way to "read" a resource, so
freely embedding was fine.  However, there's very little use-case for
allowing embedding without reading, and thus, he argues, we should do
away with this distinction for all resources in the future and just
protect things with SOR by default.

~TJ
Received on Monday, 20 June 2011 19:29:17 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 17:20:41 GMT