Re: Cross-Origin Resource Embedding Restrictions from Maciej Stachowiak on 2011-03-01 (public-webapps@w3.org from January to March 2011)

From: Maciej Stachowiak <mjs@apple.com>
Date: Mon, 28 Feb 2011 23:57:38 -0800
To: Anne van Kesteren <annevk@opera.com>
Cc: WebApps WG <public-webapps@w3.org>
Message-id: <DA4DED88-C763-47B3-A046-6E9FBBC03568@apple.com>

For what it's worth, I think this is a useful draft and a useful technology. Hotlinking prevention is of considerable interest to Web developers, and doing it via server-side Referer checks is inconvenient and error-prone. I hope we can fit it into Web Apps WG, or if not, find another goo home for it at the W3C.

One thing I am not totally clear on is how this would fit into CSP. A big focus for CSP is to enable site X to have a policy that prevents it from accidentally including scripts from site Y, and things of that nature. In other words, voluntarily limit the embedding capabilities of site X itself But the desired feature is kind of the opposite of that. I think it would be confusing to stretch CSP to this use case, much as it would have been confusing to reuse CORS for this purpose.

Regards,
Maciej

On Feb 28, 2011, at 11:35 PM, Anne van Kesteren wrote:

> Hi,
> 
> The WebFonts WG is looking for a way to prevent cross-origin embedding of fonts as certain font vendors want to license their fonts with such a restriction. Some people think CORS is appropriate for this, some don't. Here is some background material:
> 
> http://weblogs.mozillazine.org/roc/archives/2011/02/distinguishing.html
> http://annevankesteren.nl/2011/02/web-platform-consistency
> http://lists.w3.org/Archives/Public/public-webfonts-wg/2011Feb/0066.html
> 
> 
> More generally, having a way to prevent cross-origin embedding of resources can be useful. In addition to license enforcement it can help with:
> 
> * Bandwidth "theft"
> * Clickjacking
> * Privacy leakage
> 
> To that effect I wrote up a draft that complements CORS. Rather than enabling sharing of resources, it allows for denying the sharing of resources:
> 
> http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html
> 
> And although it might end up being part of the Content Security Policy work I think it would be useful if publish a Working Draft of this work to gather more input, committing us nothing.
> 
> What do you think?
> 
> Kind regards,
> 
> 
> -- 
> Anne van Kesteren
> http://annevankesteren.nl/
>

Received on Tuesday, 1 March 2011 07:58:13 UTC