Re: css3-fonts: should not dictate usage policy with respect to origin

if this argument applies, then the same logic driving SOR on font fetches
should be used on every type of fetch, including images; if the W3C came out
and said "we are going to systematically transition our specs so that all
fetches require SOR" as a preventative measure against possible attacks,
then we probably wouldn't be having this conversation;

however, I have asked what is special about fonts that requires SOR that
does not apply to text/plain, image/png, application/xml, etc., and I have
not received an answer other than "we need a mechanism to enforce EULAs";

On Thu, Jun 30, 2011 at 4:38 PM, Tab Atkins <> wrote:

> On Thu, Jun 30, 2011 at 3:35 PM, Brad Kemper <>
> wrote:
> > If there is a corporate font or specialized dingbat font that is only
> loaded
> > and used when a person has signed into a secure site (for online banking,
> > let's say), then an attacker whose site is open in another window or tab
> can
> > find out about it using the method Tab described earlier. That is
> > information leakage that would allow the attacker to know when to attack.
> He
> > could, for instance, pop open a small window that says, "you are about to
> be
> > automatically signed out. Click OK to stay signed in." And then the OK
> > button would lead to a phishing site that looked just like the online
> > banking site, and a lot of users wouldn't realize it. That is a security
> > risk that has nothing to do with EULAs.
> In other words, betting that a particular filetype will never be used
> in malicious attacks is a good way to lose money.  ^_^
> ~TJ

Received on Thursday, 30 June 2011 23:02:05 UTC