W3C home > Mailing lists > Public > www-style@w3.org > June 2011

Re: css3-fonts: should not dictate usage policy with respect to origin

From: Glenn Adams <glenn@skynav.com>
Date: Thu, 30 Jun 2011 17:06:09 -0600
Message-ID: <BANLkTim-SXPFyo5SKm9tdikWRNRUJrNbZw@mail.gmail.com>
To: Sylvain Galineau <sylvaing@microsoft.com>
Cc: John Daggett <jdaggett@mozilla.com>, John Hudson <tiro@tiro.com>, "liam@w3.org" <liam@w3.org>, StyleBeyondthePunchedCard <www-style@w3.org>, "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>, "www-font@w3.org" <www-font@w3.org>, "Martin J." <duerst@it.aoyama.ac.jp>, Vladimir Levantovsky <Vladimir.Levantovsky@monotypeimaging.com>
sure, let's go ITU (or the U.N.) and get a universal mandate, then you may
get what you want... in the mean time... business (access) as usual...

apparently we allow idealism to influence our thinking in different degrees;
at 60+, i've moved on from the idealism of my 20s

On Thu, Jun 30, 2011 at 5:01 PM, Sylvain Galineau <sylvaing@microsoft.com>wrote:

>  “the scenario you offer only prevents access if *every* HTTP client,
> whether UA or not, respects SOR;”****
>
> ** **
>
> Well, gee, doesn’t that sound like something worth standardizing on then ?
> ****
>
> ** **
>
> ** **
>
> *From:* Glenn Adams [mailto:glenn@skynav.com]
> *Sent:* Thursday, June 30, 2011 3:56 PM
> *To:* John Daggett
> *Cc:* John Hudson; liam@w3.org; StyleBeyondthePunchedCard;
> public-webfonts-wg@w3.org; www-font@w3.org; Martin J.; Sylvain Galineau;
> Vladimir Levantovsky
>
> *Subject:* Re: css3-fonts: should not dictate usage policy with respect to
> origin****
>
>  ** **
>
> if EvilCompany does not include an Origin header in its request, then
> BigCompany could not distinguish that request as coming from  a pre-HTML5 UA
> (i.e., current conditions), in which this case devolves to the current read
> scenario;****
>
> ** **
>
> if BigCompany does not respond to fetches not containing an Origin, then
> again EvilCompany can guess an origin that permits access, resulting in a
> fetch;****
>
> ** **
>
> EvilCompany does not need to use a UA, but can construct their own HTTP
> client to accomplish this;****
>
> ** **
>
> the scenario you offer only prevents access if *every* HTTP client, whether
> UA or not, respects SOR;****
>
> ** **
>
> On Thu, Jun 30, 2011 at 3:59 PM, John Daggett <jdaggett@mozilla.com>
> wrote:****
>
>
> Glenn Adams wrote:
>
> > Regarding the last, please show me an attack based on font access that
> > SOR prevents.
>
> One possible attack scenario:
>
> BigCompany decides to design a new logo.  They commission a font
> containing a special glyph with that logo in it.  An access-restricted
> site is created using that custom font.  EvilCompany, a competitor,
> would like to know about that logo before it is released publicly.  They
> insert script in web ads on popular sites that systematically attempt
> to guess possible access-restricted URLs for the custom font.  An
> employee of BigCompany hits one of the pages on an external site
> containing one of EvilCompany's webads.
>
> If no origin restriction exists, the web ad code can access the font as
> long as they guess the right access-restricted URL and an
> employee of BigCompany happens to have access.  The script inserted in a
> webad by EvilCompany accesses the custom logo glyph and sends it back to
> an EvilCompany-controlled site.
>
> If font loads are restricted to same origin and the BigCompany hasn't
> explicitly enabled cross-origin loading via CORS, the web ad code will
> *never* be able to load the font even if their code guesses the right
> access-restricted URL, since it's origin is different.
>
> The scenario is the same one as in the WebGL example I noted earlier,
> without same origin restrictions content can be accessed via means
> that are not immediately obvious to the naive author.
>
> Regards,
>
> John Daggett****
>
> ** **
>
Received on Thursday, 30 June 2011 23:06:58 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 17:20:41 GMT