W3C home > Mailing lists > Public > www-font@w3.org > April to June 2010

RE: About using CORS

From: Sylvain Galineau <sylvaing@microsoft.com>
Date: Tue, 4 May 2010 21:25:21 +0000
To: "robert@ocallahan.org" <robert@ocallahan.org>, "Levantovsky, Vladimir" <Vladimir.Levantovsky@monotypeimaging.com>
CC: Anne van Kesteren <annevk@opera.com>, "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>, "www-font@w3.org" <www-font@w3.org>
Message-ID: <045A765940533D4CA4933A4A7E32597E21483A9B@TK5EX14MBXC120.redmond.corp.microsoft.com>
Yes, that is true of CORS in general. If the attacker can link to their own sites, they can do all kinds of things besides make you load font resources as well.

But that is also true wrt the first point in your original argument: http://lists.w3.org/Archives/Public/www-font/2009JulSep/0827.html

From: rocallahan@gmail.com [mailto:rocallahan@gmail.com] On Behalf Of Robert O'Callahan
Sent: Tuesday, May 04, 2010 1:30 PM
To: Levantovsky, Vladimir
Cc: Sylvain Galineau; Anne van Kesteren; public-webfonts-wg@w3.org; www-font@w3.org
Subject: Re: About using CORS

For what it's worth, I don't think this security argument holds much water. The attacker can always send Access-Control-Allow-Origin:* from their server to enable cross-site usage. The same-origin check may discourage authors from linking to other people's sites (which later get compromised or domain-stolen), thus providing some protection that way, but that's a very weak argument IMHO.

"He was pierced for our transgressions, he was crushed for our iniquities; the punishment that brought us peace was upon him, and by his wounds we are healed. We all, like sheep, have gone astray, each of us has turned to his own way; and the LORD has laid on him the iniquity of us all." [Isaiah 53:5-6]
Received on Tuesday, 4 May 2010 21:25:59 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:37:34 UTC