- From: Nathan <nathan@webr3.org>
- Date: Tue, 01 Mar 2011 19:51:35 +0000
- To: Jonathan Rees <jar@creativecommons.org>
- CC: Noah Mendelsohn <nrm@arcanedomain.com>, "www-tag@w3.org" <www-tag@w3.org>
Interesting, and strange - it's the complete opposite approach to CORS, which blocks by default - I'm not sure I understand why they take different approaches (other than the fact they can't suddenly turn off embedded resources for the web - well unless they're embedded via a line of js rather than a line of html), surely the security concerns are the same in both cases. Regardless, why the browsers don't just send an origin / script-id and allow servers to decide is beyond me, no point blinkering only one class of user agent such that security depends on only that class of agents being used. best, nathan Jonathan Rees wrote: > Interesting. Until now the browser has been a user-agent, acting on > the user's behalf. This is true even when CORS is added. If I > understand it correctly, this proposal enlists the browser as a > server-agent as well, rather like DRM. > > Jonathan > > On Tue, Mar 1, 2011 at 1:19 PM, Noah Mendelsohn <nrm@arcanedomain.com> wrote: >> This may be of interest to www-tag. >> >> Noah >> >> -------- Original Message -------- >> Subject: fyi: Cross-Origin Resource Embedding Restrictions >> Resent-Date: Tue, 01 Mar 2011 17:38:42 +0000 >> Resent-From: public-web-security@w3.org >> Date: Tue, 01 Mar 2011 09:36:11 -0800 >> From: =JeffH <Jeff.Hodges@KingsMountain.com> >> To: W3C Web Security Interest Group <public-web-security@w3.org> >> >> fyi, of possible interest... >> >> thread rooted here.. >> >> http://lists.w3.org/Archives/Public/public-webapps/2011JanMar/0710.html >> >> [probably best to keep discussion of this specific thing on public-webapps@ >> for >> now] >> >> Subject: Cross-Origin Resource Embedding Restrictions >> From: "Anne van Kesteren" <annevk@opera.com> >> Date: Tue, 01 Mar 2011 08:35:33 +0100 >> To: "WebApps WG" <public-webapps@w3.org> >> >> Hi, >> >> The WebFonts WG is looking for a way to prevent cross-origin embedding of >> fonts as certain font vendors want to license their fonts with such a >> restriction. Some people think CORS is appropriate for this, some don't. >> Here is some background material: >> >> http://weblogs.mozillazine.org/roc/archives/2011/02/distinguishing.html >> http://annevankesteren.nl/2011/02/web-platform-consistency >> http://lists.w3.org/Archives/Public/public-webfonts-wg/2011Feb/0066.html >> >> >> More generally, having a way to prevent cross-origin embedding of >> resources can be useful. In addition to license enforcement it can help >> with: >> >> * Bandwidth "theft" >> * Clickjacking >> * Privacy leakage >> >> To that effect I wrote up a draft that complements CORS. Rather than >> enabling sharing of resources, it allows for denying the sharing of >> resources: >> >> http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html >> >> And although it might end up being part of the Content Security Policy >> work I think it would be useful if publish a Working Draft of this work to >> gather more input, committing us nothing. >> >> What do you think? >> >> Kind regards, >> >> >> -- >> Anne van Kesteren >> http://annevankesteren.nl/ >> >> >> >> > > >
Received on Tuesday, 1 March 2011 19:52:33 UTC