- From: Glenn Adams <glenn@skynav.com>
- Date: Thu, 30 Jun 2011 17:06:09 -0600
- To: Sylvain Galineau <sylvaing@microsoft.com>
- Cc: John Daggett <jdaggett@mozilla.com>, John Hudson <tiro@tiro.com>, "liam@w3.org" <liam@w3.org>, StyleBeyondthePunchedCard <www-style@w3.org>, "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>, "www-font@w3.org" <www-font@w3.org>, "Martin J." <duerst@it.aoyama.ac.jp>, Vladimir Levantovsky <Vladimir.Levantovsky@monotypeimaging.com>
- Message-ID: <BANLkTim-SXPFyo5SKm9tdikWRNRUJrNbZw@mail.gmail.com>
sure, let's go ITU (or the U.N.) and get a universal mandate, then you may get what you want... in the mean time... business (access) as usual... apparently we allow idealism to influence our thinking in different degrees; at 60+, i've moved on from the idealism of my 20s On Thu, Jun 30, 2011 at 5:01 PM, Sylvain Galineau <sylvaing@microsoft.com>wrote: > “the scenario you offer only prevents access if *every* HTTP client, > whether UA or not, respects SOR;”**** > > ** ** > > Well, gee, doesn’t that sound like something worth standardizing on then ? > **** > > ** ** > > ** ** > > *From:* Glenn Adams [mailto:glenn@skynav.com] > *Sent:* Thursday, June 30, 2011 3:56 PM > *To:* John Daggett > *Cc:* John Hudson; liam@w3.org; StyleBeyondthePunchedCard; > public-webfonts-wg@w3.org; www-font@w3.org; Martin J.; Sylvain Galineau; > Vladimir Levantovsky > > *Subject:* Re: css3-fonts: should not dictate usage policy with respect to > origin**** > > ** ** > > if EvilCompany does not include an Origin header in its request, then > BigCompany could not distinguish that request as coming from a pre-HTML5 UA > (i.e., current conditions), in which this case devolves to the current read > scenario;**** > > ** ** > > if BigCompany does not respond to fetches not containing an Origin, then > again EvilCompany can guess an origin that permits access, resulting in a > fetch;**** > > ** ** > > EvilCompany does not need to use a UA, but can construct their own HTTP > client to accomplish this;**** > > ** ** > > the scenario you offer only prevents access if *every* HTTP client, whether > UA or not, respects SOR;**** > > ** ** > > On Thu, Jun 30, 2011 at 3:59 PM, John Daggett <jdaggett@mozilla.com> > wrote:**** > > > Glenn Adams wrote: > > > Regarding the last, please show me an attack based on font access that > > SOR prevents. > > One possible attack scenario: > > BigCompany decides to design a new logo. They commission a font > containing a special glyph with that logo in it. An access-restricted > site is created using that custom font. EvilCompany, a competitor, > would like to know about that logo before it is released publicly. They > insert script in web ads on popular sites that systematically attempt > to guess possible access-restricted URLs for the custom font. An > employee of BigCompany hits one of the pages on an external site > containing one of EvilCompany's webads. > > If no origin restriction exists, the web ad code can access the font as > long as they guess the right access-restricted URL and an > employee of BigCompany happens to have access. The script inserted in a > webad by EvilCompany accesses the custom logo glyph and sends it back to > an EvilCompany-controlled site. > > If font loads are restricted to same origin and the BigCompany hasn't > explicitly enabled cross-origin loading via CORS, the web ad code will > *never* be able to load the font even if their code guesses the right > access-restricted URL, since it's origin is different. > > The scenario is the same one as in the WebGL example I noted earlier, > without same origin restrictions content can be accessed via means > that are not immediately obvious to the naive author. > > Regards, > > John Daggett**** > > ** ** >
Received on Thursday, 30 June 2011 23:06:57 UTC