- From: Robert O'Callahan <robert@ocallahan.org>
- Date: Thu, 30 Jul 2009 09:07:07 +1200
- To: Dirk Pranke <dpranke@google.com>
- Cc: Sylvain Galineau <sylvaing@microsoft.com>, "www-font@w3.org" <www-font@w3.org>
- Message-ID: <11e306600907291407q2bf6f84dw5467feaa79e7f607@mail.gmail.com>
On Thu, Jul 30, 2009 at 5:26 AM, Dirk Pranke <dpranke@google.com> wrote: > On Wed, Jul 29, 2009 at 6:43 AM, Sylvain Galineau<sylvaing@microsoft.com> > wrote: > > From: www-font-request@w3.org [www-font-request@w3.org] on behalf of > Dirk Pranke [dpranke@google.com] > > > >>(e) There may be objections that using same-origin and/or CORS as a > >>lightweight form of license restriction is anathema to the web as a > >>whole, and hence browser implementors might be very loathe to > >>implement something like this for fear of setting bad precedents. > > > > Firefox already does this. > > > > Agreed, but I believe they do it for security concerns, not licensing > concerns (although I'm not positive about this). I do know that the > conversations about this in WebKit revolve primarily around security > concerns. > You don't have to guess. We've explained before why we do it, but I'm happy to explain it again, for good measure. -- As a general rule, allowing one site access to information from arbitrary other sites is a problem. It leads to attacks like router profiling attacks, intranet information leaks, and the like. If we could rebuild the Web from the ground up, we'd have default same-origin checks for all resource inclusions, and all those attacks would have been blocked from the outset. It's too late for images, stylesheets and scripts, but doing it for new kinds of resource inclusions may have some value. (I say "may" because it depends on how the Web evolves, how fonts are used, and how ingenious the villains are. No-one predicted the attacks using cross-site image, script and stylesheet loads before it was too late.) -- As a general rule, it seems good to offer Web authors the ability to control who uses their served resources. A default same-origin restriction + CORS seems the best available way to provide that control --- more convenient, more reliable, and with better user privacy than Referer checking. Web authors can use this control to achieve various useful goals, including preventing freeloaders from consuming server bandwidth, and complying with font licenses. -- The inconvenience to authors of requiring CORS to enable cross-site linking seems to be small. I'm not aware of any complaints from authors that it is a significant barrier to deployment. (In contrast, when we looked at the same issue for HTML video, there were a lot of author complaints that a default same-origin restriction would be a major deployment barrier, so we didn't do it there.) Preventing links to malicious fonts that might compromise the browser is not a reason to adopt default same-origin checks. For one thing, a malicious font server can just use CORS to permit the link. Rob -- "He was pierced for our transgressions, he was crushed for our iniquities; the punishment that brought us peace was upon him, and by his wounds we are healed. We all, like sheep, have gone astray, each of us has turned to his own way; and the LORD has laid on him the iniquity of us all." [Isaiah 53:5-6]
Received on Wednesday, 29 July 2009 21:07:42 UTC