- From: Tab Atkins <tabatkins@google.com>
- Date: Mon, 20 Jun 2011 12:28:51 -0700
- To: Glenn Adams <glenn@skynav.com>
- Cc: John Hudson <tiro@tiro.com>, "Levantovsky, Vladimir" <Vladimir.Levantovsky@monotypeimaging.com>, Florian Rivoal <florianr@opera.com>, Martin J. Dürst <duerst@it.aoyama.ac.jp>, Jonathan Kew <jonathan@jfkew.plus.com>, "Tab Atkins Jr." <jackalmage@gmail.com>, W3C Style <www-style@w3.org>, 3668 FONT <public-webfonts-wg@w3.org>, www-font@w3.org
On Mon, Jun 20, 2011 at 12:17 PM, Glenn Adams <glenn@skynav.com> wrote: > On Mon, Jun 20, 2011 at 1:06 PM, John Hudson <tiro@tiro.com> wrote: >> Glenn wrote: >> >>> I believe we could agree to the first, but not to the second. In fact, we >>> want to make the second to read as: >> >>> UAs MUST NOT, by default, treat webfont resources as >>> same origin restricted. >> >>> In the absence of an author declaring either a restriction or a >>> relaxation, we believe the default should be NO restriction. >> >> For all resources, or for webfonts in particular? >> >> May I echo Tab's question, and ask why? I'd like to get a clearer idea of >> whether Samsung's position is essentially a matter of principle or has some >> particular practical import for UAs. > > All. Because that is the way the Web works today. The web currently allows embedding resources freely, while reading is same-origin restricted. As we repeatedly discover, though, the ability to embed almost always translates into the ability to read, because it's nearly impossible to prevent all manner of information leaks; web browsers are not secure against timing-channel attacks in general. Robert O'Callahan, a senior Mozilla hacker, explains at length in <http://weblogs.mozillazine.org/roc/archives/2011/02/distinguishing.html> why this reading vs embedding distinction is generally a bad thing, and is pretty much just a result of legacy requirements. Back when browsers were first created, there was no way to "read" a resource, so freely embedding was fine. However, there's very little use-case for allowing embedding without reading, and thus, he argues, we should do away with this distinction for all resources in the future and just protect things with SOR by default. ~TJ
Received on Monday, 20 June 2011 19:29:27 UTC