Re: fyi: Cross-Origin Resource Embedding Restrictions from Jonathan Rees on 2011-03-01 (www-tag@w3.org from March 2011)

From: Jonathan Rees <jar@creativecommons.org>
Date: Tue, 1 Mar 2011 14:06:23 -0500
To: Noah Mendelsohn <nrm@arcanedomain.com>
Cc: "www-tag@w3.org" <www-tag@w3.org>
Message-ID: <AANLkTima=zOCb8Y95aPdUaeZSJk+nVzF5YLdjZt9jW0v@mail.gmail.com>

Interesting.  Until now the browser has been a user-agent, acting on
the user's behalf. This is true even when CORS is added. If I
understand it correctly, this proposal enlists the browser as a
server-agent as well, rather like DRM.

Jonathan

On Tue, Mar 1, 2011 at 1:19 PM, Noah Mendelsohn <nrm@arcanedomain.com> wrote:
> This may be of interest to www-tag.
>
> Noah
>
> -------- Original Message --------
> Subject: fyi: Cross-Origin Resource Embedding Restrictions
> Resent-Date: Tue, 01 Mar 2011 17:38:42 +0000
> Resent-From: public-web-security@w3.org
> Date: Tue, 01 Mar 2011 09:36:11 -0800
> From: =JeffH <Jeff.Hodges@KingsMountain.com>
> To: W3C Web Security Interest Group <public-web-security@w3.org>
>
> fyi, of possible interest...
>
> thread rooted here..
>
> http://lists.w3.org/Archives/Public/public-webapps/2011JanMar/0710.html
>
> [probably best to keep discussion of this specific thing on public-webapps@
> for
> now]
>
> Subject: Cross-Origin Resource Embedding Restrictions
> From: "Anne van Kesteren" <annevk@opera.com>
> Date: Tue, 01 Mar 2011 08:35:33 +0100
> To: "WebApps WG" <public-webapps@w3.org>
>
> Hi,
>
> The WebFonts WG is looking for a way to prevent cross-origin embedding of
> fonts as certain font vendors want to license their fonts with such a
> restriction. Some people think CORS is appropriate for this, some don't.
> Here is some background material:
>
> http://weblogs.mozillazine.org/roc/archives/2011/02/distinguishing.html
> http://annevankesteren.nl/2011/02/web-platform-consistency
> http://lists.w3.org/Archives/Public/public-webfonts-wg/2011Feb/0066.html
>
>
> More generally, having a way to prevent cross-origin embedding of
> resources can be useful. In addition to license enforcement it can help
> with:
>
>  * Bandwidth "theft"
>  * Clickjacking
>  * Privacy leakage
>
> To that effect I wrote up a draft that complements CORS. Rather than
> enabling sharing of resources, it allows for denying the sharing of
> resources:
>
> http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html
>
> And although it might end up being part of the Content Security Policy
> work I think it would be useful if publish a Working Draft of this work to
> gather more input, committing us nothing.
>
> What do you think?
>
> Kind regards,
>
>
> --
> Anne van Kesteren
> http://annevankesteren.nl/
>
>
>
>

Received on Tuesday, 1 March 2011 19:06:56 UTC