W3C home > Mailing lists > Public > www-font@w3.org > April to June 2010

Re: What constitutes protection [was: About using CORS]

From: Dirk Pranke <dpranke@chromium.org>
Date: Wed, 5 May 2010 09:28:21 -0700
Message-ID: <t2t3726d1bf1005050928x66292f2dh3203a0df6251e3f7@mail.gmail.com>
To: Jeffrey Veen <jeff@typekit.com>
Cc: www-font@w3.org
On Tue, May 4, 2010 at 3:57 PM, Jeffrey Veen <jeff@typekit.com> wrote:
> On Tue, May 4, 2010 at 2:19 PM, Levantovsky, Vladimir
> <Vladimir.Levantovsky@monotypeimaging.com> wrote:
>
>> It seems that same-origin restriction by default makes perfect sense for any resource,
>> and while I lament that it wasn't implemented for other resources, I do not see any
>> reason why it should not be in place for fonts and other resources going forward.
>
> Hasn't HTTP Referrer Checking been the solution to this thus far? As
> far back as I can remember, people have been using it to avoid
> hot-linking of images and other assets.

Referer checking can help here, but it does have issues that lead it
to getting filtered in the
network in some cases. I refer you to Adam Barth's paper, "Robust
Defenses for Cross-Site
Request Forgery" [1], that led to the proposal for the Origin header
(which is essentially
what CORS is using).

-- Dirk

[1] http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf
Received on Wednesday, 5 May 2010 16:28:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:37:34 UTC