Unlike image resources which are everywhere and can’t really be moved to an SOR without breaking content all over, web font usage remain very new (as compared to the spec’s history) and we have the opportunity to get it ‘right’ before the mass of available content is too large.
As one major browser that is particularly popular with web authors has always applied SOR on font requests and another major browser supports the same behavior, we are able to address this issue without ‘breaking the web’ as it is colloquially known. We unfortunately don’t have the option of doing so with other resource types. That should not, however, be a reason to keep extending the overall attack surface. But it certainly seems the right policy for new features. (Again, yes, @font-face is not new but active *usage* is relatively new).
From: Glenn Adams [mailto:glenn@skynav.com]
Sent: Thursday, June 30, 2011 4:01 PM
To: Tab Atkins
Cc: Brad Kemper; John Daggett; John Hudson; Vladimir Levantovsky; liam@w3.org; StyleBeyondthePunchedCard; public-webfonts-wg@w3.org; www-font@w3.org; Martin J.; Sylvain Galineau
Subject: Re: css3-fonts: should not dictate usage policy with respect to origin
if this argument applies, then the same logic driving SOR on font fetches should be used on every type of fetch, including images; if the W3C came out and said "we are going to systematically transition our specs so that all fetches require SOR" as a preventative measure against possible attacks, then we probably wouldn't be having this conversation;
however, I have asked what is special about fonts that requires SOR that does not apply to text/plain, image/png, application/xml, etc., and I have not received an answer other than "we need a mechanism to enforce EULAs";
On Thu, Jun 30, 2011 at 4:38 PM, Tab Atkins <tabatkins@google.com<mailto:tabatkins@google.com>> wrote:
On Thu, Jun 30, 2011 at 3:35 PM, Brad Kemper <brad.kemper@gmail.com<mailto:brad.kemper@gmail.com>> wrote:
> If there is a corporate font or specialized dingbat font that is only loaded
> and used when a person has signed into a secure site (for online banking,
> let's say), then an attacker whose site is open in another window or tab can
> find out about it using the method Tab described earlier. That is
> information leakage that would allow the attacker to know when to attack. He
> could, for instance, pop open a small window that says, "you are about to be
> automatically signed out. Click OK to stay signed in." And then the OK
> button would lead to a phishing site that looked just like the online
> banking site, and a lot of users wouldn't realize it. That is a security
> risk that has nothing to do with EULAs.
In other words, betting that a particular filetype will never be used
in malicious attacks is a good way to lose money. ^_^
~TJ