On Tue, May 4, 2010 at 3:57 PM, Jeffrey Veen <jeff@typekit.com> wrote: > On Tue, May 4, 2010 at 2:19 PM, Levantovsky, Vladimir > <Vladimir.Levantovsky@monotypeimaging.com> wrote: > >> It seems that same-origin restriction by default makes perfect sense for any resource, >> and while I lament that it wasn't implemented for other resources, I do not see any >> reason why it should not be in place for fonts and other resources going forward. > > Hasn't HTTP Referrer Checking been the solution to this thus far? As > far back as I can remember, people have been using it to avoid > hot-linking of images and other assets. Referer checking can help here, but it does have issues that lead it to getting filtered in the network in some cases. I refer you to Adam Barth's paper, "Robust Defenses for Cross-Site Request Forgery" [1], that led to the proposal for the Origin header (which is essentially what CORS is using). -- Dirk [1] http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdfReceived on Wednesday, 5 May 2010 16:28:51 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:37:34 UTC