- From: Jonathan Rees <jar@creativecommons.org>
- Date: Tue, 1 Mar 2011 14:06:23 -0500
- To: Noah Mendelsohn <nrm@arcanedomain.com>
- Cc: "www-tag@w3.org" <www-tag@w3.org>
Interesting. Until now the browser has been a user-agent, acting on the user's behalf. This is true even when CORS is added. If I understand it correctly, this proposal enlists the browser as a server-agent as well, rather like DRM. Jonathan On Tue, Mar 1, 2011 at 1:19 PM, Noah Mendelsohn <nrm@arcanedomain.com> wrote: > This may be of interest to www-tag. > > Noah > > -------- Original Message -------- > Subject: fyi: Cross-Origin Resource Embedding Restrictions > Resent-Date: Tue, 01 Mar 2011 17:38:42 +0000 > Resent-From: public-web-security@w3.org > Date: Tue, 01 Mar 2011 09:36:11 -0800 > From: =JeffH <Jeff.Hodges@KingsMountain.com> > To: W3C Web Security Interest Group <public-web-security@w3.org> > > fyi, of possible interest... > > thread rooted here.. > > http://lists.w3.org/Archives/Public/public-webapps/2011JanMar/0710.html > > [probably best to keep discussion of this specific thing on public-webapps@ > for > now] > > Subject: Cross-Origin Resource Embedding Restrictions > From: "Anne van Kesteren" <annevk@opera.com> > Date: Tue, 01 Mar 2011 08:35:33 +0100 > To: "WebApps WG" <public-webapps@w3.org> > > Hi, > > The WebFonts WG is looking for a way to prevent cross-origin embedding of > fonts as certain font vendors want to license their fonts with such a > restriction. Some people think CORS is appropriate for this, some don't. > Here is some background material: > > http://weblogs.mozillazine.org/roc/archives/2011/02/distinguishing.html > http://annevankesteren.nl/2011/02/web-platform-consistency > http://lists.w3.org/Archives/Public/public-webfonts-wg/2011Feb/0066.html > > > More generally, having a way to prevent cross-origin embedding of > resources can be useful. In addition to license enforcement it can help > with: > > * Bandwidth "theft" > * Clickjacking > * Privacy leakage > > To that effect I wrote up a draft that complements CORS. Rather than > enabling sharing of resources, it allows for denying the sharing of > resources: > > http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html > > And although it might end up being part of the Content Security Policy > work I think it would be useful if publish a Working Draft of this work to > gather more input, committing us nothing. > > What do you think? > > Kind regards, > > > -- > Anne van Kesteren > http://annevankesteren.nl/ > > > >
Received on Tuesday, 1 March 2011 19:06:56 UTC