RE: css3-fonts: should not dictate usage policy with respect to origin from Sylvain Galineau on 2011-06-30 (www-font@w3.org from April to June 2011)

From: Sylvain Galineau <sylvaing@microsoft.com>
Date: Thu, 30 Jun 2011 23:14:51 +0000
To: Glenn Adams <glenn@skynav.com>
CC: John Daggett <jdaggett@mozilla.com>, John Hudson <tiro@tiro.com>, "liam@w3.org" <liam@w3.org>, StyleBeyondthePunchedCard <www-style@w3.org>, "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>, "www-font@w3.org" <www-font@w3.org>, Martin J. <duerst@it.aoyama.ac.jp>, Vladimir Levantovsky <Vladimir.Levantovsky@monotypeimaging.com>
Message-ID: <3C4041FF83E1E04A986B6DC50F0178290BEB3D@TK5EX14MBXC297.redmond.corp.microsoft.co>

Not being a dumb idealist is exactly what this is about. We can’t go back and do this for image resources and other features as it would break too much existing content. But we can and should be smart with new features; it would be silly to keep expanding the menu of attack vectors because we can’t fix them all.  The perfect should not be the enemy of the good, learning from the past etc.

As @font-face use was very limited on the internet and intranet, we can in fact treat it as a new feature in practice. SOR was a breaking change for us in IE9 and the impact of the change has been extremely limited.

From: Glenn Adams [mailto:glenn@skynav.com]
Sent: Thursday, June 30, 2011 4:06 PM
To: Sylvain Galineau
Cc: John Daggett; John Hudson; liam@w3.org; StyleBeyondthePunchedCard; public-webfonts-wg@w3.org; www-font@w3.org; Martin J.; Vladimir Levantovsky
Subject: Re: css3-fonts: should not dictate usage policy with respect to origin

sure, let's go ITU (or the U.N.) and get a universal mandate, then you may get what you want... in the mean time... business (access) as usual...

apparently we allow idealism to influence our thinking in different degrees; at 60+, i've moved on from the idealism of my 20s
On Thu, Jun 30, 2011 at 5:01 PM, Sylvain Galineau <sylvaing@microsoft.com<mailto:sylvaing@microsoft.com>> wrote:
“the scenario you offer only prevents access if *every* HTTP client, whether UA or not, respects SOR;”

Well, gee, doesn’t that sound like something worth standardizing on then ?

From: Glenn Adams [mailto:glenn@skynav.com<mailto:glenn@skynav.com>]
Sent: Thursday, June 30, 2011 3:56 PM
To: John Daggett
Cc: John Hudson; liam@w3.org<mailto:liam@w3.org>; StyleBeyondthePunchedCard; public-webfonts-wg@w3.org<mailto:public-webfonts-wg@w3.org>; www-font@w3.org<mailto:www-font@w3.org>; Martin J.; Sylvain Galineau; Vladimir Levantovsky

Subject: Re: css3-fonts: should not dictate usage policy with respect to origin

if EvilCompany does not include an Origin header in its request, then BigCompany could not distinguish that request as coming from  a pre-HTML5 UA (i.e., current conditions), in which this case devolves to the current read scenario;

if BigCompany does not respond to fetches not containing an Origin, then again EvilCompany can guess an origin that permits access, resulting in a fetch;

EvilCompany does not need to use a UA, but can construct their own HTTP client to accomplish this;

the scenario you offer only prevents access if *every* HTTP client, whether UA or not, respects SOR;

On Thu, Jun 30, 2011 at 3:59 PM, John Daggett <jdaggett@mozilla.com<mailto:jdaggett@mozilla.com>> wrote:

Glenn Adams wrote:

> Regarding the last, please show me an attack based on font access that
> SOR prevents.

One possible attack scenario:

BigCompany decides to design a new logo.  They commission a font
containing a special glyph with that logo in it.  An access-restricted
site is created using that custom font.  EvilCompany, a competitor,
would like to know about that logo before it is released publicly.  They
insert script in web ads on popular sites that systematically attempt
to guess possible access-restricted URLs for the custom font.  An
employee of BigCompany hits one of the pages on an external site
containing one of EvilCompany's webads.

If no origin restriction exists, the web ad code can access the font as
long as they guess the right access-restricted URL and an
employee of BigCompany happens to have access.  The script inserted in a
webad by EvilCompany accesses the custom logo glyph and sends it back to
an EvilCompany-controlled site.

If font loads are restricted to same origin and the BigCompany hasn't
explicitly enabled cross-origin loading via CORS, the web ad code will
*never* be able to load the font even if their code guesses the right
access-restricted URL, since it's origin is different.

The scenario is the same one as in the WebGL example I noted earlier,
without same origin restrictions content can be accessed via means
that are not immediately obvious to the naive author.

Regards,

John Daggett

Received on Thursday, 30 June 2011 23:15:32 UTC