- From: Noah Mendelsohn <nrm@arcanedomain.com>
- Date: Tue, 01 Mar 2011 13:19:57 -0500
- To: "www-tag@w3.org" <www-tag@w3.org>
This may be of interest to www-tag. Noah -------- Original Message -------- Subject: fyi: Cross-Origin Resource Embedding Restrictions Resent-Date: Tue, 01 Mar 2011 17:38:42 +0000 Resent-From: public-web-security@w3.org Date: Tue, 01 Mar 2011 09:36:11 -0800 From: =JeffH <Jeff.Hodges@KingsMountain.com> To: W3C Web Security Interest Group <public-web-security@w3.org> fyi, of possible interest... thread rooted here.. http://lists.w3.org/Archives/Public/public-webapps/2011JanMar/0710.html [probably best to keep discussion of this specific thing on public-webapps@ for now] Subject: Cross-Origin Resource Embedding Restrictions From: "Anne van Kesteren" <annevk@opera.com> Date: Tue, 01 Mar 2011 08:35:33 +0100 To: "WebApps WG" <public-webapps@w3.org> Hi, The WebFonts WG is looking for a way to prevent cross-origin embedding of fonts as certain font vendors want to license their fonts with such a restriction. Some people think CORS is appropriate for this, some don't. Here is some background material: http://weblogs.mozillazine.org/roc/archives/2011/02/distinguishing.html http://annevankesteren.nl/2011/02/web-platform-consistency http://lists.w3.org/Archives/Public/public-webfonts-wg/2011Feb/0066.html More generally, having a way to prevent cross-origin embedding of resources can be useful. In addition to license enforcement it can help with: * Bandwidth "theft" * Clickjacking * Privacy leakage To that effect I wrote up a draft that complements CORS. Rather than enabling sharing of resources, it allows for denying the sharing of resources: http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html And although it might end up being part of the Content Security Policy work I think it would be useful if publish a Working Draft of this work to gather more input, committing us nothing. What do you think? Kind regards, -- Anne van Kesteren http://annevankesteren.nl/
Received on Tuesday, 1 March 2011 18:20:28 UTC