W3C home > Mailing lists > Public > www-style@w3.org > June 2011

Re: css3-fonts: should not dictate usage policy with respect to origin

From: L. David Baron <dbaron@dbaron.org>
Date: Wed, 29 Jun 2011 13:01:09 -0700
To: Glenn Adams <glenn@skynav.com>
Cc: John Daggett <jdaggett@mozilla.com>, John Hudson <tiro@tiro.com>, Vladimir Levantovsky <Vladimir.Levantovsky@monotypeimaging.com>, liam@w3.org, www-style@w3.org, public-webfonts-wg@w3.org, www-font@w3.org, Martin J. Dürst <duerst@it.aoyama.ac.jp>, Sylvain Galineau <sylvaing@microsoft.com>
Message-ID: <20110629200109.GA9211@pickering.dbaron.org>
On Wednesday 2011-06-29 12:39 -0600, Glenn Adams wrote:
> On Wed, Jun 29, 2011 at 11:55 AM, John Daggett <jdaggett@mozilla.com> wrote:
> > As background, I think it would be useful to read through a description of a
> > recent WebGL security issue below.  The context is slightly different but
> > the issue is the same, especially what is described in the section
> > "Cross-Domain Image Theft":
> >
> >  http://www.contextis.com/resources/blog/webgl/
> >
> >
> i will take a look at this, but it sounds like "content protection" and DRM
> scope to me just from the phrase "image theft"

The general concern with cross-domain data theft is attacks like one
of these (which are both examples involving images):

  1) https://www.evilwebmail.com/ , which users tend to leave open in
  a tab for a long period of time, tries every minute to load the
  image https://www.popularbank.com/mybalancegraph.png , and if it
  does (because the user uses that bank, and has logged in to her
  bank, which uses only cookies to check login status), transmits
  the contents to evilwebmail.com's servers so that the owners of
  evilwebmail.com can determine which of their users' bank accounts
  are worth breaking into.

  2) http://evilnewssite.com/ has articles on it about technology
  companies, and they'd like to learn company secrets.  So each
  article, when it's loaded, tries to load the image at
  http://internalcompanyhost/productplan2012/diagram.png , and, if
  it loads (because the user is actually on the targeted internal
  network), transmit it back to the server.


L. David Baron                                 http://dbaron.org/
Mozilla Corporation                       http://www.mozilla.com/
Received on Wednesday, 29 June 2011 20:01:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 2 May 2016 14:38:47 UTC