Re: fyi: Cross-Origin Resource Embedding Restrictions

On Tue, Mar 1, 2011 at 10:53 PM, Chris Lilley <> wrote:
> On Tuesday, March 1, 2011, 8:06:23 PM, Jonathan wrote:
> JR> Interesting.  Until now the browser has been a user-agent, acting on
> JR> the user's behalf. This is true even when CORS is added. If I
> JR> understand it correctly, this proposal enlists the browser as a
> JR> server-agent as well, rather like DRM.
> No, it is explicitly not "like DRM".

Sorry, I was just making a technical comparison, not implying a value
judgment; and I didn't mean "exactly like", I meant "sort of like".

> Its unfortunate that Anne chose to associate this with "license enforcement" (see quote below). WOFF has explicitly avoided any suggestion of "enforcement".
> Instead it provides information, such as details of the license.

Yes, this makes perfect sense to me. For example, if I were an artist
making collages using images found on the web, I might choose a
license-aware user-agent over one that's not, since it would save me
the trouble of checking whether use of each image was licensed in each
case, and thus speed up my work. The behavior I'd want would be, say,
if I pasted an image into a document, it would compare the
characteristics of the document (intended future publication and
licensing regime) to the license for each image, and put up a warning
box for a mismatch, allowing me to dismiss the warning in cases that
might be allowed but that the software is not smart enough to (or
couldn't possibly) discriminate, such as fair use.

This is very similar to the font scenario, as you describe it.
Creative Commons has been developing its own approach to the same

But this feature should not be called 'restriction' or 'enforcement',
it would be called 'compliance assistance' or 'license checking' and
would be framed clearly as a user benefit. I think it's important to
put the right spin on it, either by retaining the user-agent as
working on behalf of the user, or by giving up on that and
articulating exactly who is being served by a piece of software being
written in a particular way (again, no value judgment).

> If someone is using a font outside its license, or for which they do not have a license but should, that is entirely the domain of the legal system between the font producer and the person using it. The user agent is not required to act on behalf of the legal system.
> However, many licenses for webfonts require that a font licensed for a particular website be restricted to use on that site, on a reasonable-effort rather than cast-iron-guarantee sense. From-Origin provides a way to announce that intent.
> It is neither prevention nor enforcement, however. wget foo.woff will still fetch it.

Right. I suppose it's all relative. If user-agent A allowed me to
fetch an image, and user-agent B prevented me, and there were no law
or contract legally preventing the fetch, I as user would naively say
user-agent B is preventing me from looking at the image. Why then
would I choose user-agent B over user-agent A?  Am I just a good
person who altruistically wants to lower servers' ISP bills? Maybe, I
don't know. Even if this were a good idea, I would expect it to fail
because someone using browser A would in the long have a competitive
advantage over someone using browser B.

(I think this repeats what Noah said.)

I'm not saying I *want* to be able to launch DOS attacks, and I
certainly don't want to do so accidentally, but how does managing
bandwidth become the user's responsibility (or even the browser
vendor's) rather than ... well, someone else's?

Please don't read this as hostile; I'm just exploring.

(BTW I followed up to www-tag instead of webapps intentionally both to
reach the people I wanted to engage with (other TAG members) and
because I think the kinds of discussions we tend to have on www-tag
are not necessarily ones that a WG needs to suffer through.)


>>> From: "Anne van Kesteren" <>
>>> Date: Tue, 01 Mar 2011 08:35:33 +0100
>>> To: "WebApps WG" <>
>>> More generally, having a way to prevent cross-origin embedding of
>>> resources can be useful. In addition to license enforcement it can help
>>> with:
> --
>  Chris Lilley   Technical Director, Interaction Domain
>  W3C Graphics Activity Lead, Fonts Activity Lead
>  Co-Chair, W3C Hypertext CG
>  Member, CSS, WebFonts, SVG Working Groups

Received on Wednesday, 2 March 2011 14:41:43 UTC