W3C home > Mailing lists > Public > www-style@w3.org > June 2011

Re: css3-fonts: should not dictate usage policy with respect to origin

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Thu, 30 Jun 2011 16:53:29 -0400
Message-ID: <4E0CE249.4080005@mit.edu>
To: www-style@w3.org
On 6/30/11 4:42 PM, Glenn Adams wrote:
> So, as I've previously said, this is only about content protection
> mechanisms and their enforcement. There is no security risk on the part
> of the end user

Let's be concrete here.  Say you're the user.  You have a document up on 
Google Docs.  This document is not public.  You have to be logged in as 
yourself to access it.

Is there risk on your part if some random website can read the document 
just because you happen to visit it while logged in to Google Docs in 
another browser window?

If not, then I think we're done here: we fundamentally disagree on what 
constitutes risk to users.

If there is risk to the user in this situation, then does it matter what 
form of document it is?  Word document, spreadsheet, image, HTML page, 
something else?  If it does not, then what's special about fonts?  If it 
does matter, then why?

The fact is, cross-site access to resources that can only be gotten with 
the user's credentials leaks information about the user to third 
parties.  This is a security risk on the part of the user.

-Boris
Received on Thursday, 30 June 2011 20:54:11 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 17:20:41 GMT