On Sat, Apr 13, 2013 at 10:19 PM, Eric Seidel <
ese...@chromium.org> wrote:
> After reading the WebKit thread, I feel that I don't have context to
> advise this decision well enough, and would retract my former LGTM.
>
> The argument that we're the odd-man-out is a strong one. But it's not
> clear to me what is/isn't restricted by CORS and if WebFonts is just
> the odd man out here. I clearly need to learn more about CORS.
>
> I'll do some more research.
You want to also read some context from Roc
<
http://robert.ocallahan.org/2011/02/distinguishing-versus-web-resources_02.html>,
where he argues that SOR is all about wiping out the distinction
between "embedding" versus "viewing", because in practice there *is*
no distinction - anything that can be embedded can eventually be read.
We have a lot of legacy types that we can't SOR. We *tried* with
<video>/<audio>, but barely missed the timing boat, with not quite
enough people recognizing the value in time (and I suspect that
WebKit's mild hostility to it from some Apple engineers didn't help).
But the ideal is, from now on, you *always* SOR by default when you
introduce a new type of linking. It's just the right thing to do,
because it lets us avoid having to care about a whole annoying class
of security issues.
For example, you've hopefully heard about the timing-channel attacks
that mean merely tainting a canvas with a cross-origin image painted
into it isn't enough. You can do the same thing with fonts, and
actually recover pixelated outlines in a reasonable amount of time.
(I've seen it live - you can hit a 10x10 grid fairly instantaneously.)
If cross-origin fonts are SOR, and have to be freed up explicitly
with CORS, though, then everything's fine!
This should be the new reality. Old media types distinguish between
"reading" and "embedding", with only the latter allowed for
cross-origin things. But in reality, there's only "reading" and
"reading, with somewhat more difficulty", and we, the browser
developers, have to work very hard to keep that "somewhat more" as
high as possible. If we just wipe out the category altogether, and
block cross-origin from being used at all, we get to avoid a lot of
annoying effort that's ultimately futile anyway.
~TJ