Re: Cross-Origin Resource Embedding Restrictions

On 3/1/11 12:26 AM, Adam Barth wrote: > From-Origin is closely related to one of the proposed CSP > features, namely frame-ancestors, which also controls how the > given resource can be embedded in other documents: Also similar to X-Frame-Options; I'd hate to end up with all three mechanisms. I'd

Re: Cross-Origin Resource Embedding Restrictions

Glenn Maynard wrote: On Tue, Mar 1, 2011 at 3:33 PM, Nathan wrote: (rather than controlled only "by user agents which choose to follow the specs" offering an artificial screen). If user agents deliberately ignore the specs to allow embedding where authors don't want it to, they can do it wit

Re: Cross-Origin Resource Embedding Restrictions

On Tue, Mar 1, 2011 at 3:33 PM, Nathan wrote: > (rather than controlled only "by user agents which choose to follow the > specs" offering > an artificial screen). If user agents deliberately ignore the specs to allow embedding where authors don't want it to, they can do it with any model--Refere

Re: Cross-Origin Resource Embedding Restrictions

Anne van Kesteren wrote: http://dvcs.w3.org/hg/from-origin/raw-file/tip/Overview.html And although it might end up being part of the Content Security Policy work I think it would be useful if publish a Working Draft of this work to gather more input, committing us nothing. What do you think?

Re: Cross-Origin Resource Embedding Restrictions

Adam wrote: > > There's been a bunch of discussion on the public-web-security mailing > list about the scope of CSP. Some folks think that CSP should be a > narrow feature targeted at mitigating cross-site scripting. Other > folks (e.g., as articulated in >

Re: Cross-Origin Resource Embedding Restrictions

I do think Content Security Policy offers a good opportunity to address the use cases Anne brought up. CSP already has a directive, frame-ancestors, that restricts the context in which a resource can be embedded as a , or to a list of origins. Perhaps we should expand the scope of the directive

Re: Cross-Origin Resource Embedding Restrictions

+dveditz and +bsterne because they have strong opinions about CSP. Adam On Tue, Mar 1, 2011 at 12:26 AM, Adam Barth wrote: > On Mon, Feb 28, 2011 at 11:57 PM, Maciej Stachowiak wrote: >> For what it's worth, I think this is a useful draft and a useful technology. >> Hotlinking prevention is o

Re: Cross-Origin Resource Embedding Restrictions

On Mon, Feb 28, 2011 at 11:57 PM, Maciej Stachowiak wrote: > For what it's worth, I think this is a useful draft and a useful technology. > Hotlinking prevention is of considerable interest to Web developers, and > doing it via server-side Referer checks is inconvenient and error-prone. I > hop

Re: Cross-Origin Resource Embedding Restrictions

For what it's worth, I think this is a useful draft and a useful technology. Hotlinking prevention is of considerable interest to Web developers, and doing it via server-side Referer checks is inconvenient and error-prone. I hope we can fit it into Web Apps WG, or if not, find another goo home

Cross-Origin Resource Embedding Restrictions

Hi, The WebFonts WG is looking for a way to prevent cross-origin embedding of fonts as certain font vendors want to license their fonts with such a restriction. Some people think CORS is appropriate for this, some don't. Here is some background material: http://weblogs.mozillazine.org/roc