Fwd: fyi: Cross-Origin Resource Embedding Restrictions

This may be of interest to www-tag.

Noah

-------- Original Message --------
Subject: fyi: Cross-Origin Resource Embedding Restrictions
Resent-Date: Tue, 01 Mar 2011 17:38:42 +0000
Resent-From: public-web-security@w3.org
Date: Tue, 01 Mar 2011 09:36:11 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
To: W3C Web Security Interest Group <public-web-security@w3.org>

fyi, of possible interest...

thread rooted here..

http://lists.w3.org/Archives/Public/public-webapps/2011JanMar/0710.html

[probably best to keep discussion of this specific thing on public-webapps@ 
for
now]

Subject: Cross-Origin Resource Embedding Restrictions
From: "Anne van Kesteren" <annevk@opera.com>
Date: Tue, 01 Mar 2011 08:35:33 +0100
To: "WebApps WG" <public-webapps@w3.org>

Hi,

The WebFonts WG is looking for a way to prevent cross-origin embedding of
fonts as certain font vendors want to license their fonts with such a
restriction. Some people think CORS is appropriate for this, some don't.
Here is some background material:

http://weblogs.mozillazine.org/roc/archives/2011/02/distinguishing.html
http://annevankesteren.nl/2011/02/web-platform-consistency
http://lists.w3.org/Archives/Public/public-webfonts-wg/2011Feb/0066.html


More generally, having a way to prevent cross-origin embedding of
resources can be useful. In addition to license enforcement it can help
with:

   * Bandwidth "theft"
   * Clickjacking
   * Privacy leakage

To that effect I wrote up a draft that complements CORS. Rather than
enabling sharing of resources, it allows for denying the sharing of
resources:

http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html

And although it might end up being part of the Content Security Policy
work I think it would be useful if publish a Working Draft of this work to
gather more input, committing us nothing.

What do you think?

Kind regards,


-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Tuesday, 1 March 2011 18:20:28 UTC