RE: About using CORS from Sylvain Galineau on 2010-05-03 (public-webfonts-wg@w3.org from May 2010)

From: Sylvain Galineau <sylvaing@microsoft.com>
Date: Mon, 3 May 2010 22:04:06 +0000
To: Anne van Kesteren <annevk@opera.com>, "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>
Message-ID: <045A765940533D4CA4933A4A7E32597E21482173@TK5EX14MBXC120.redmond.corp.microsoft.>


> -----Original Message-----
> From: Anne van Kesteren [mailto:annevk@opera.com]
> 
> Indeed, I'm not convinced it has been proven otherwise. The existence
> of
> the WebFonts WG does not demonstrate that in one way or another I think.

Sorry, but it does. I suggest perusing the www-font and www-style archives
on this topic. There would be no need for a dedicated WG if these resources
were like images. Unless there is a WG dedicated to the encoding of image
types that I don't know about ?

> HTTP compression works just fine for fonts. That font vendors are
> willing
> to license fonts with this new format which offers no protection in
> practice is surprising, but maybe it makes it worth the effort.

I am not commenting on whether fonts *can* be compressed by HTTP, but
whether resources *are* compressed by HTTP and how often. In practice, 
as many as 20% of the users of major sites do not in fact get a compressed 
response due to caching proxy strategies.



> 
> > For a bunch of reasons - some technical, some not - this resulted in
> a
> > new cross-browser format and other related implementation decisions.
> For
> > CORS
> > specifically, I understand the main motivation was security. Fonts
> > include small bits of code (opcodes actually) and thus do not have
> quite
> > the same
> > security surface as an image file. Also, fonts have generally not
> been as
> > actively targeted for exploits as other resource formats; it thus
> seems
> > reasonable to assume the underlying decoders to be relatively less
> > hardened than, say, the latest PNG decoder.
> 
> This is just plain FUD. If font resources are insecure that is a
> problem
> regardless of whether font loading has a same-origin limitation.

Labeling things you disagree with as FUD is neither helpful nor necessary.
If font decoding is less secure than other content types, same-origin
restrictions mitigate the risk somewhat by requiring the attacker to be
able to post font resources on the origin site. (At which point, well,
all bets are off...) Without that restriction, the attack surface is
most definitely larger.


> It does not fit at all with how same-origin restrictions have been
> determined and applied so far.

And ?

Received on Monday, 3 May 2010 22:04:45 UTC